■  ■  JL.  •  ■  :  v 

■  IWW 

enterprise 

antivirus 


'  .;•  '.  '...-:  •■:  ,  '  <\  ■  ’■  -  k 

I 


'  'V  r'%K  £ 


from  the  school  of 

k^k#e<  l/HArl/e 


% 

i 

w'\>% 

wBM 

■H 


www.csoonline.com  $9.00  July/August  2009 


Smarter  technology  for  a  Smarter  Planet: 

Can  the  boundaries  of  a 
business  be  defined  by  its 
people  instead  of  its  walls? 

Businesses  like  nice  solid  walls,  both  the  physical  and  the  fire  variety. 

But  on  a  smaller,  flatter,  smarter  planet,  we  increasingly  find  ourselves 
working  with  people  far  outside  those  walls:  partners,  suppliers, 
customers  and  remote  employees.  Instead  of  protecting,  those  nice 
solid  walls  stand  in  the  way  of  how  people  want  to  work. 

IBM  is  incorporating  new  tools  like  social  software,  wikis,  blogs  and 
presence  awareness  throughout  its  entire  collaboration  portfolio  to  help 
people  in  companies  reach  beyond  their  walls.  The  next  challenge  is  to 
give  people  the  tools  they  need  anytime  and  anywhere  they  need  them, 
not  when  their  tech  department  has  time  to  set  them  up. 

That’s  why  IBM  is  offering  a  new  way  of  accessing  its  collaboration  and 
social  networking  tools:  through  the  cloud.  To  the  individual,  cloud-based 
tools  like  LotusLive™  let  people  work  securely  with  whomever  they  want 
to,  regardless  of  what  side  of  the  firewall  they  find  themselves  on.  To  the 
organization,  these  collaboration  tools  enhance  the  productivity  of  its 
employees  without  the  cost  and  complexity  of  building  and  managing 
any  additional  infrastructure,  giving  them  a  seamless  extension  of  their 
capabilities.  And  it’s  all  backed  by  the  legendary  security  that  companies 
expect  from  IBM.  So  organizations  don’t  have  to  tear  down  their  walls 
to  reach  beyond  them. 

A  smarter  business  needs  smarter  software,  systems  and  services. 

Let’s  build  a  smarter  planet,  ibm.com/collaborate 


\  I  / 


IBM,  the  IBM  logo,  ibm.com,  Smarter  Planet  and  the  planet  icon  are  trademarks  of  International  Business  Machines  Corp.,  registered  in  many  jurisdictions  worldwide.  Other 
product  and  service  names  might  be  trademarks  of  IBM  or  other  companies.  A  current  list  of  IBM  trademarks  is  available  on  the  Web  at  www.ibm.com/legal/copytrade.shtml. 


Over  the  past  decade,  the  Identity  &  Ac¬ 
cess  Management  (IAM)  industry  has 
grown  considerably.  Here,  Singh  shares  his 
perspective  on  this  developing  sector. 

What  are  lAM's  primary  growth  areas? 

As  the  IAM  industry  continues  to  evolve, 
three  significant  growth  areas  exist.  The 
first  is  Access  Governance.  This  sector 
includes  solutions  for  Role  Engineering, 
Segregation  of  Duty  and  Entitlement.  Ac¬ 
cess  Governance  is  critical  for  compliance 
and  relevant  to  organizations  that  have  or 
have  not  implemented  IAM  solutions. 

The  second  area  is  Identity  Federation.  Al¬ 
though  collaboration  allows  companies  to 
offer  more  comprehensive  services,  it  also 
opens  areas  of  concern— for  example,  the 
risk  of  inadvertently  sharing  confidential 
information.  As  a  result,  organizations  are 
turning  to  federated  solutions  as  a  trusted 
identity  infrastructure  between  parties. 

The  third  area  is  Managed  Identity  Servic¬ 
es.  Due  to  long  implementation  lead  times 
and  high  capital  investment  involved, 
Hosted  Identity  Services  is  gaining  accep¬ 
tance.  The  Software-as-a-Service  model 
has  become  an  attractive  alternative.  By 
embracing  this  platform,  companies  do 
not  need  to  make  a  capital  investment  in 
buying  licenses,  yet  they  benefit  by  rent¬ 
ing  the  service. 

How  does  ILANTUS  support  customers 
in  each  of  these  areas? 

Our  goal  is  to  demystify  Identity  Manage¬ 
ment  through  sensible,  packaged  offerings 


ADVERTORIAL 


Identity  Access 
Management 

Making  strides  in  managing  IAM  with 
cost-effective  solutions 


Binod  Singhf  president,  ceo  &  co-founder,  ilantus  technologies 

Singh,  an  acknowledged  international  business  expert  in  identity  manage¬ 
ment,  is  a  20-year  veteran  of  the  IT  industry.  He  has  held  senior  management 
positions  at  organizations  including  Computer  Associates,  Compaq  and  Digital. 


that  address  Role  Engineering,  Segregation 
of  Duty  and  Entitlement  Management. 

We  have  taken  great  strides  in  reducing 
the  total  cost  of  ownership— by  as  much  as 
75  percent— so  companies  of  all  sizes  can 
easily  embrace  solutions.  We  have  also  cut 
down  on  the  implementation  time  frame 
by  more  than  40  percent.  We  continue  to 
bundle  the  industry’s  top  tools  together 
with  fixed-fee  implementations  and  long¬ 
term  support.  We  are  focused  on  reduc¬ 
ing  implementation  lead  times  from  the 
industry  average  of  six  to  18  months  to  just 
three  to  six  months. 

ILANTUS  was  one  of  the  first  organiza¬ 
tions  to  work  in  the  Federated  Identity 
space.  As  a  result,  we  have  a  large  number 
of  commercial  and  governmental  clients, 
as  well  as  an  intimate  working  knowledge 
of  the  available  technologies.  Our  recent 
work  with  a  U.S.  state  government  puts  us 
in  a  prime  position  to  help  governmental 
units  reduce  health  care  costs  through 
public-private  partnerships.  While  oth¬ 
ers  have  held  true  to  traditional  delivery 
models,  ILANTUS  has  been  atrailblazer 
in  providing  Managed  Identity  Services 
designed  to  fit  individualized  needs.  We 
are  working  with  many  Fortune  500  cus¬ 
tomers  that  have  outsourced  all  of  their 
Identity  Management  work,  including 
day-to-day  administration  and  24/7  sup¬ 
port  operations. 

Why  Is  ILANTUS  unique  in  this  space? 

ILANTUS  provides  comprehensive  end 
to-end  Identity  Access  Management  and 
Governance  solutions.  Because  we  have 


developed  and  nurtured  relationships 
with  the  key  technology  vendors  identified 
in  Gartner’s  Magic  Quadrant,  ILANTUS 
is  in  a  prime  position  to  offer  the  widest 
range  of  technologies,  backed  up  with  full 
implementation  and  long-term  support 
experience. 

Likewise,  ILANTUS  provides  the  widest 
possible  choice  in  terms  of  consulting- 
before  the  purchase,  during  implemen¬ 
tation  and  going  forward.  Lastly,  while 
others  work  strictly  on  a  time  and  material 
basis,  ILANTUS  offers  fixed-fee  Identity 
Management  solutions  to  provide  clients 
with  an  attractive  risk-free  alternative. 

What  are  ILANTUS'  future  plans? 

We  are  investing  heavily  in  expanding  our 
24/7  support  offering  and  continuing  to 
add  depth  and  breadth  to  each  implemen¬ 
tation  area.  We  are  making  major  invest¬ 
ments  into  Managed  Identity  Services.  We 
continue  to  invest  in  building  long-term 
relationships  with  our  customers  rather 
than  worrying  about  profit  from  each 
transaction. 


FOR  MORE  INFORMATION 

To  learn  more  about  Identity  &  Access  Manage¬ 
ment,  please  visit:  www. ilantus.com 


Ilantus 

The  Identity  Management  People 

cso 

Custom  Solutions  Group 


July/August  2009  Vol.  8,  No.  6 


Features... 

24  Who's  Using 
Your  Brand? 

Cover  Story  |  CSO  Role  In  the 

physical  and  digital  worlds  alike, 
security  is  ever  more  entrenched 
in  protecting  the  corporate 
brand.  ByJoanGoodchild 

28  Guarding 
Against  Fraud 

Fraud  Downsizing  and  desperation 
are  fueling  a  rise  in  occupational 
fraud.  How  do  you  stop  a  rogue 
employee?  By  Stacy  Collett 


4  From  the  Editor 
6  From  the  Publisher 

8  Join  the  Discussion 

CSOonline  readers  debate  the 
need  for  security  intelligence 
and  rebuilding  the  case  for 
cybersecurity 

13  Briefing 

■  Cyberwar:  Is  offense 
the  new  defense? 

■  Five  security  holes 
at  the  office 

■  Universities  cope  with  new 
antipiracy  requirement 

■  Security  analyst  to 
DLP  vendors:  Watch 
your  language 

■  Symantec,  McAfee  to  pay 
fines  over  auto-renewals 


20  Choosing  Enterprise 
Antivirus 

Toolbox  In  the  company 
setting,  there’s  much  more 
to  consider  than  just  speed 
and  accuracy-though 
those  are  important, 
too.  ByMaryBrandel 

32  Five  Career  Lessons 
from  the  Trenches 
Undercover  Company 
politics,  stonewalling, 
layoffs-sometimes  it’s  part 
and  parcel  of  the  security 
job.  Here  are  one  CISO’s 
takeaways.  By  Anonymous 

34  Seven  Practical  Ideas 
for  Security  Awareness 
CSO  View  Former  CISO 
Audry  Agle  offers  steps  for 
creating  the  culture  necessary 
to  protect  your  organization. 

36  Debriefing 

Called  for  Travelling 


Also  Inside... 


CSO(ISSN1540-904X)ispublishedmonthlyexceptforacombinedissueinJuly/AugustandDecember/JanuarybyCXOMedialnc.,4920ldConnecticutPath,P.O.Box9208,Framingham.MA01701-9208.PeriodicalPostageRateat 
Framingham.  MA  01701,  and  at  additional  mailing  offices.  Canadian  Publications  Mail  agreement  number  1902075.  Canadian  Postmaster:  Please  return  undeliverable  copy  to  P.0.  Box  1632,  Windsor,  ON  N9A7C9.Copyright2009  by 
CXO  Media  Inc.  Ail  rights  reserved.  Reproduction  of  material  appearingin  CSO  isforbidden  withoutwritten  permission.  Permission  to  photocopy  for  internal  or  personal  use  orthe  internal  or  personal  use  of  specific  clients  is  granted 
by  CSOforusersthroughtheCopyrightClearanceCenter,  provided  thatafeeof$3.50  per  copy  ofthearticle  is  paid  directly  to  Copyright  Clearance  Center,  222  Rosewood  Drive.  Danvers,  MA01970.www.copyright.com.  Please  specify: 
ISSN  1540-904X.  Permission  to  photocopy  does  not  extend  to  contributed  artides-followed  by  this  symbol:  t.  Address  inquiries  to  CSO,  P.0.  Box3482,Northbrook,IL60065;866354-1125.C50isfreetoqualified  security  executives. 
To  all  others  the  one-year  basic  rate  is$70  fortbe  United  Statesand  Canada,  $95  to  foreign  countries  (payable  in  U.S.  funds  only).  The  single  copy  price  is$9  to  the  ll.S.  and  Canadaand  $15  International.  Please  allow  four  to  six  weeks 
for  new  subscriptions  to  begin.  Change  of  Address:  Go  to  www.omeda.com/custsrv/cso  and  follow  the  online  instructions.  Postmaster:  Send  change  of  address  to:  CSO,  P.O.  Box  3482,  Northbrook,  IL  60065.  Printed  in  the  USA. 


Cover  Illustration  by  Dan  Page 


July/August  2009  www.csoonline.com  3 


[  FROM  THE  EDITOR] 


Search  Party 

The  Internet  era  demands  you  add 
yet  another  skill  to  the  CSO  arsenal 

One  of  the  reasons  security  is  fun  and 
interesting  is  that  it  requires  a  constant 
upgrade  of  your  skills  and  knowledge. 
Here  is  a  skill  that  you  may  not  have 
realized  you  need,  but  you  need  it:  Become  a 
master  of  Internet  search. 

Obviously  I’m  talking  about  a  lot  more 
than  tossing  a  few  words  in  the  Google  box  and 
pushing  the  search  button. 

I’m  talking  about  understanding  how  to 
run  very  specific  searches  to  find  information 
leaks  within  your  company  and  outside  of  it, 
whether  intentional  or  accidental.  Such  leaks 
might  come  in  the  form  of  intentional,  outright 
posting  of  sensitive  information  by  ex-employ- 
ees.  Or  they  might  be  misconfigured  or  forgot¬ 
ten  Web  applications  that  weren’t  supposed  to 
be  publicly  accessible  (search  CSOonline.com 
for  “University  of  Florida  Web  Breach”). 

Other  searches  will  help  you  find  websites 
using  your  organization’s  trademarks  for 
nefarious  purposes,  or  selling  counterfeit 
or  grey-market  products  in  your  name.  See 
Senior  Editor  Joan  Goodchild’s  look  at  brand 
protection  (Page  26),  which  offers  examples  of 
CSOs  playing  a  key  role  in  this  fight. 

Still,  other  searches  might  turn  up  scraps 
of  information  on  your  own  website  that  reveal 
information  that  hackers  use  to  footprint  your 
systems.  Overly  informative  404  error  mes¬ 
sages,  for  example. 

How  good  are  you  at  Web  search? 

■  Do  you  know  how  to  find  Excel  spread¬ 
sheets  posted  on  the  Web? 

■  Do  you  know  how  to  find  documents  that 
include  key  intellectual  property  phrases? 

■  Do  you  know  how  to  winnow  broad  search 
results  down  to  just  the  important  ones? 

■  Do  you  know  how  to  use  Google  news  alerts 
and  blogging  tools  to  see  what’s  being  said 
about  your  company? 

■  Do  you  know  how  to  find  publicly  available 
information  as  part  of  an  employee  back¬ 
ground  check? 


Happily,  there  is  a  lot  of  advice  about 
search  on  the  Web.  You  don’t  have  to  take  out 
a  student  loan  and  go  back  to  school  to  learn 
this  skill. 

Here  is  a  wonderful  tutorial  on  basic 
searches,  provided  by  Google  itself: 

www.google.com/support/websearch/bin/ 

answer.py?hl=en&answer=136861. 

Here  is  an  older  CSOonline.com  article  that 
provides  four  searches  you  should  run  on  your 
own  company: 

www.csoonline.com/article/221133. 

I’ll  let  you  fire  up  your  browser  and  find 
other  good  resources  yourself. 

-Derek Slater,  dslater@cxo.com 


Editor  in  Chief  Derek  Slater 
Senior  Editors 
Bill  Brenner,  Joan  Goodchild 
Copy  Editor 
Kristin  Burnham 
Editorial  Administrator 
Simone  Levien 
Contributors 

Audrey  Agle,  Mary  Brandel,  Stacy  Collett, 
Robert  Lemos,  Robert  McMillan 

DESIGN 

Executive  Director,  Art  and  Design 

Mary  Lester 

Art  Director  Steve  Traynor 

RESEARCH 

Research  Manager  Carolyn  Johnson 

TECHNICAL  ADVISORY  BOARD 

Jason  Cowling 

Jeremiah  Grossman,  WhiteHat  Security 
Frank  Murphy,  TBG  Security 
Stephen  Northcutt,  SANS  Institute 
Richard  Power,  Carnegie  Mellon  CyLab 


EDITORIAL/ADVERTISING/ 
BUSINESS  OFFICES 

492  Old  Connecticut  Path, 

P.O.  Box  9208, 

Framingham,  MA  01701-9208 
Main  phone  number:  508  872-0080 


I  N  c. 


INTERNATIONAL  DATA  GROUP 

Chairman  of  the  Board 
Patrick  J.  McGovern 
IDG  COMMUNICATIONS,  INC. 

CEO  Bob  Carrigan 

Chief  Content  Officer 
John  Gallant 


mBPA 


WORLDWIDE" 


4 


www.csoonline.com  July/August  2009 


Photo  by  Webb  Chappell 


SYMANTEC 

PROTECTS  MORE 

1 500 !  1  device!  1 1 !  if  §  il  1 

^  ENTERPRISES  INFORMATION  1|  o-g  S3 

”SYSTEMS^is«* 


U  ORGANiZATONS  to  g  SERVERS  §  £  *  CL  TEAMS 

PROFITS  \n  %  ACCTTC  ^  2  <  manufacturers 

l'''1  I  I  *J  i/)  ^  A\SFTS  t"  m  INDIVIDUALS 
SOCIAL  NETWORKS  =>  “  rW^t  I  J  [|]  Ol  “ 

INDUSTRIES  WEBSITES  FILES  2 ^SERVERS 

(/)  MEDICAL  RECORDS  (/) 
g  ft  CUSTOMERS  I— 


^COMPANIES 

UAIA5<^windows|nonk5s 

-  UJ  ENVIRONMENTS  S  PROFITS  O  o 

o 


UJ  UJ  GOVERNMENTS  O 
LO  2  INFORMATION  Q- 


X 

LU 

IS) 


VIRTUAL  I  %  §  COMMUNITIES  _  = 

environments  ui  O  o  SMALL  BUSINESSES  fiQ  g 

THAN  ANYONE 


SYMANTEC  IS  THE  WORLD  LEADER  IN  SECURITY. 

Know  what  it  takes  to  be  secure  today  at  go.symantec.com/securityleader 


Confidence  in  a  connected  world. 


Symantec,. 


©2009  Symantec  Corporation.  All  rights  reserved.  Symantec  and  the  Symantec  Logo  are  registered  trademarks  of  Symantec  Corporation  or  its  affiliates  in  the  U.S. 
and  other  countries.  Other  names  may  be  trademarks  of  their  respective  owners. 


[  FROM  THE  PUBLISHER  ] 


The  Missing 
Asset 


Maybe  it’s  just  me,  but  it  seems  that 
recently  a  great  many  key  organiza¬ 
tions  have  lost  critical  people  due  to 
death,  more  so  than  I  recall  seeing 
in  the  past.  Michael  Jackson,  Bill  Mays,  etc.  It 
makes  me  wonder  how  a  business  addresses 
the  loss  of  key  contributors  and  is  able  to 
continue  to  operate. 

Now  I’m  not  just  talking  about  the  random 
employee  who  may  tragically  die  in  a  car 
accident.  I’m  talking  about  the  key  people  in 
the  organization  without  whom  the  company 
will  face  significant  hardship.  Michael  Jackson 
was  the  key  player  behind  a  multimillion  dollar 
brand  with  a  major  tour  in  the  works.  His  death 
effectively  ended  that  tour  and  sank  those  mil¬ 
lions  into  a  black  hole.  Unless,  of  course,  there 
was  insurance  in  place,  as  l  assume  there  was. 
Billy  Mays-same  thing.  He  went  from  being  a 
pitch-man  to  having  a  sizeable  business.  With 
his  death,  can  that  business  survive? 

Steve  Jobs  didn’t  die,  but  his  health  has 
played  front  and  center  in  the  financial  perfor¬ 
mance  of  his  business,  Apple.  In  this  case,  you 
have  to  believe  that  Wall  Street  was  driving 
more  of  the  concern,  but  what  would  have 
happened  if  he  had  not  lived  or  had  to  leave 
the  company  permanently?  Would  the  com¬ 
pany  continue  to  be  as  visionary  as  it  currently 
is  and  has  been  in  the  past?  Would  their  stock 
have  been  battered?  You  get  where  I’m  going. 


At  some  point,  this  is  a  question  that  every 
business  needs  to  examine.  It’s  a  key,  but  often 
overlooked,  tenet  of  business  continuity.  It’s 
great  if  the  business  is  still  standing,  but  what 
about  the  intellectual  capital  and  leadership 
provided  by  key  performers?  I’ve  always 
believed  that  everyone  can  be  replaced,  but 
at  what  cost?  In  the  litigious  society  in  which 
we  live,  do  we  really  believe  that  a  company 
can  absorb  three  or  four  quarters  of  marginal 
performance  as  they  transition  into  new 
leadership?  The  company  might  survive,  but  I 
can  already  see  the  flurry  of  lawsuits  heading 
its  way.  Does  that  change  the  dynamics?  It 
sure  does. 

The  message  here  is  to  plan  ahead.  Be 
asking  the  questions  today  about  what  would 
happen  to  your  business  if  you  were  to  lose  a 


key  player.  It’s  great  that  you  can  reconstitute 
your  IT  systems  in  24  hours,  but  what  happens 
when  the  CEO  has  shed  his  or  her  earthly 
bonds  on  short  notice?  Have  a  plan  worked  out 
and  ready  to  go  because  you  can’t  afford  to 
miss  a  beat. 

-Bob  Bragdon,  bbragdon@cxo.com 


Advertiser  Index 


ASIS  International  . 11 

CA . C4 

CDWCorp . 12 

CXO  Media  Inc . 21,35 


Executive  Women’s  Forum . 7 

HIDCorp . 9 

IBM  Corp . C2 

ILANTUS  Technologies . 2 

ISACA . C3 


Lumension  Security . 17 

Symantec  Corp . 5 

Trend  Micro  Inc . 15 


Photo  by  Christopher  Navin 


6  www.csoonline.com  July/August  2009 


President  and  CEO 
Michael  Friedenberg 
Publisher  Bob  Bragdon 
National  Sales  Manager 
Per  Melker 

East  Coast  Regional  Sales  Manager 

Roz  Burke 

West  Coast  Regional  Sales  Manager 
Michelle  McHugh 

INTEGRATED  MEDIA  AND 
ONLINE  SALES 

Vice  President,  Online  Sales 

Brian  Glynn 

Online  Regional  Sales  Manager 
Richard  Hartman 
Online  Regional  Sales  Manager, 
West  Coast  Erika  Karr 
Manager,  Online  Account  Services 
Danielle  Tetreault 

Online  Account  Services  Specialists 

Jennifer  Malkasian,  Tara  Shea 

CUSTOM  SOLUTIONS  GROUP 

Vice  President  Matt  Avery 
National  Sales  Director 

Adam  Dennison 

PRODUCTION 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Heidi  Broadley 
Associate  Production  Manager 

Lisa  M.  Stevenson 

EXECUTIVE  PROGRAMS 

VP,  Executive  Programs 
Ellen  Daly 

Director,  Event  Marketing 

Mary  Conroy 

Director,  Event  Operations 

Deb  Begreen 

Editorial  Manager  Lafe  Low 
Sales  Associate 
Lauren  Costello 
Event  Planner  Sarah  Reagan 
Event  Planner/Client  Relations 
Laura  Biringer 

Registration  Specialist  Cress  O'Brien 
Senior  Marketing  Specialist 

Lauren  Wilson 

Client  Services  Specialist  Erica  Foster 

LIST  SERVICES 

Contact  Paul  Capone  of 
IDG  List  Services  at  508  370-0865  or 
pcaponeigidglist.com 

REPRINTS  &  PERMISSIONS 

For  information  about  reprints  and 
copyright  permissions,  please  contact 
The  YGS  Group,  800-290-5460  ext.  150, 
csoStheygsgroup.com 


Alta  Associates 


vV^ 


7th  Annual 

^EXECUTIVE  WOMEN’S 

*1  I  )  |  IIV  A  Information  Security,  Risk 

rL/nUIVI  Management  &  Privacy 


September  23-25,  2009  |  Hyatt  Regency  at  Gainey  Ranch  !  Scottsdale,  AZ 


Pragmatic  Risk  Solutions  for  Changing  Times: 

Achieving  More  with  Less 


The  7th  annual  Executive  Women's  Forum  brings  together  more  than  200  women  of  influence, 
power  and  intelligence  to  exchange  pragmatic  risk  solutions.  Hosted  by  Alta  Associates ,  Inc. 


•  Earn  17  CPE  Credits 

•  Build  a  Network  of  the  Most  Dynamic  Women  in  Our  Industry 

•  Take  Home  Tools,  Templates  &  Solutions  to  Achieve  Success 

•  Expand  Your  Expertise  &  Capabilities 


Keynote  Speakers:  Marianne  Brown — CEO,  Omgeo 

Jane  Carlin — Managing  Director,  Morgan  Stanley 

Panels  Include: 

•  Measuring  Security:  Real  Experience  and  Actionable  Results 

-  Learn  security  metrics  enterprise  solutions  and  current  industry  status  regarding  both  quantitative 
research  and  implementation  options. 

•  Winning  Mind  Share — Writing  Effective  Proposals 

-  Tie  IT  investments  to  business  drivers,  calculate  ROI  based  on  your  project  and  lower  the  overall 
risk  to  your  company. 

•  Compliance  Globalization  Framework  Workshop 

-  Develop  requirements  and  controls  to  multiple  obligations,  create  a  unified  approach,  consider 
the  benefits  and  costs. 

•  Emerging  Technologies  Workshop:  Cloud  Storage  &  Computing,  Web  2.0  and  Mobility 

-  Work  in  groups  to  discuss  and  then  present  the  current  state,  architecture,  risks,  rewards  &  tools 
used  to  evaluate  them. 

•  Gaining  Efficiencies  through  Vendor  Risk  Management 

-  Discuss  third  party  relationship  life  cycles  and  take  away  a  risk  assessment  framework. 

•  The  Future  Privacy  Landscape 

-  Information  security,  privacy  and  regulatory  experts  discuss  how  the  new  administration,  new 
technologies  and  new  regulations  affect  the  global  privacy  and  regulatory  landscape. 


Women  of  Influence  Awards 

Nominate  your  peers,  clients  and 
customers  for  the  Women  of  Influence 
Awards.  Co-presented  by  CSO  Magazine 
and  Alta  Associates,  the  awards  honor 
four  women  for  their  accomplishments 
and  leadership  roles  in  the  fields  of 
security,  risk  management  and  privacy. 

Winners  will  be  announced  at  an 
awards  ceremony  during  the 
Executive  Women's  Forum. 

NOMINATION  FORM  AVAILABLE  AT: 

www.ewf-usa.com 

MUST  be  submitted  by  August  1,  2009 


MEDIA  SPONSOR 
&  AWARDS 

co-presenter: 


FORUM  HOST 
&  AWARDS 

co-presenter: 


CSO 


I  ASSOCIATES 

r  ipeclallttt  In  executive  recruiting 


DIAMOND  SPONSORS  ^ 


^  Symantec, 


•  e 


I nformation  Networking  Institute 

Carnegie  Mellon 


Microsoft 


For  more  information  on  the  EWF  or  to  register,  please  visit:  www.ewf-usa.com 


What’s  on  your  mind?  Security  leaders  discuss 
and  debate  at  www.csoonlme.com 


BLOG  POST 

The  Need 
for  Security 
Intelligence 

Orbitz  CISO  Ed  Beilis  on  how  to 
make  better  security  decisions 

No  I  am  not  speaking  of  mili¬ 
tary  intelligence,  but  rather 
business  intelligence  within 
a  security  context.  Business 
intelligence  and  decision 
support  systems  have  now  been  widely 
used  by  many  of  our  counterparts  within 
our  organizations  to  obtain  a  better  view 
of  reality  and  in  turn  make  better  deci¬ 
sions  based  on  that  reality.  These  decision 
support  systems  have  been  helping  teams 
throughout  our  companies  in  identifying 
areas  of  poor  product  performance,  high¬ 
lighting  areas  of  current  and  potential 
future  demand,  key  performance  indica¬ 
tors,  etc.  We  in  the  information  security 
field  need  to  learn  from  our  business  coun¬ 
terparts  in  taking  advantage  of  some  of  the 
existing  underlying  technology  within  this 
space  to  make  better  security  decisions. 

While  many  of  the  tools  and  technology 
already  exist,  much  of  the  data,  sadly,  does 
not.  This  has  been  a  common  complaint  of 
security  practitioners  who  have  examined 
this  space.  This  fact,  however,  should  not 
prevent  us  from  doing  anything.  There  is 
still  data  out  there  that  we  are  all  sitting  on 
today,  waiting  to  be  culled  and  mined. 

From  books  such  as  The  New  School  of 
Information  Security  and  Security  Metrics, 
we  know  there  are  a  lot  of  areas  we  could 


be  measuring  within  information  security 
to  allow  us  to  make  better  decisions.  A 
simple  example  might  lie  within  enterprise 
vulnerability  management. 

Where  are  the  sources?  Certainly  the 
data  isn’t  a  panacea  (at  least  the  publicly 
available  and  open-shared  data),  but  there 
is  enough  of  it  out  there  that  we  can  improve 
some  of  our  decision  making.  There  are  a 
number  of  vulnerability  data  sources  that 
companies  can  leverage  to  aggregate  this 
information  in  a  meaningful  way,  beginning, 
of  course,  with  it’s  own  internal  vulnerabil¬ 
ity  data  across  its  known  hosts,  networks 
and  applications.  Add  to  the  mix  relevant 
configuration  and  asset  management  data 
and  publicly  available  sources  and  sub¬ 
scription  services.  Some  of  this  information 
can  be  bucketed  by  industry  as  well. 

Sprinkle  in  some  threat  data.  So  it’s 
one  thing  to  understand  your  vulnerable 
state,  but  that  doesn’t  really  give  us  a  clear 
picture  on  any  sort  of  likelihood,  probabil¬ 
ity  or  risk  of  compromise.  We  also  need 
to  understand  what  some  of  our  threats 
are.  Unfortunately,  this  set  of  data  isn’t 
as  clear.  There  are  some  sources  we  can 


begin  to  pull  information 
from  in  order  to  overlay 
some  basic  decision  sup¬ 
port.  These  include  Honey- 
net  and  honeypot  sources, 
public  databases  such  as 
datalossdb  and  malwaredb, 
threat  clearinghouses  (cur¬ 
rently  not  fully  available  to 
the  public),  publications 
such  as  the  Verizon  DBIR 
and  so  on.  To  quote  the 
New  School,  “breach  data 
is  not  actuarial  data,”  but 
combined  with  some  intel¬ 
ligence,  it  can  add  a  small  level  of  priority. 
Imagine  feeding  real-time  honeynet  data 
into  your  BI  systems. 

...And  start  tying  it  to  your  business. 
This  space  is  clearly  in  it’s  infancy,  and  we 
have  a  long  way  to  go,  but  I,  like  many  others, 
believe  this  is  a  discipline  we  must  take  up  if 
we  are  to  begin  making  more  credible  and 
rational  decisions  within  information  secu¬ 
rity.  Using  the  data  discussed,  we  can  begin 
to  tie  in  some  of  the  sources  the  other  parts 
of  the  business  are  already  using  readily  to 
understand  values  of  various  transactions. 
This  gives  us  at  least  a  high  level  of  what’s 
important  and  where  we  may  be  able  to 
focus  some  near-term  effort.  If  we  analyze 
the  industry  data,  we  may  be  able  to  under¬ 
stand  whether  we  are  a  “target  of  choice”  or 
a  “target  of  opportunity,”  which  may  play 
into  the  level  of  effort  to  remediate  a  given 
bug  and  whether  to  invest  more  or  less  in 
detective  controls.  We  can  use  clickstream 
from  our  Web  analytics  tools  to  detect 
fraudulent  behavior  or  business  logic  flaws 
within  our  Web  applications.  Companies 
like  SilverTail  Systems  are  already  taking 
advantage  of  this  type  of  information. 


8  www.csoonline.com  July/August  2009 


Photo  by  iStockphoto.com 


For  log-on  security,  forget 
passwords,  remember  HID. 


HID,  the  world  leader  in  physical  access  control 
can  now  provide  secure  access  to  your  network. 
All  on  your  current  card. 

Passwords  have  long  been  used  as  a  means  of  log-on  security, 
but  an  easier,  more  reliable  way  to  control  access  to 
Windows®  is  the  same  way  you  do  with  your 
doors  -  with  HID  contactless  technology 
You  don’t  have  to  re-badge.  It’s  ready  to  go 
from  day  one  with  the  same  credential. 
And  it’s  an  easy  transition  for  cardholders 
they’re  already  familiar  with  the  contactless 
technology.  Proven,  cost-effective,  simple  -  HID  is 
where  convenience  meets  security  on  the  desktop. 

Get  your  FREE  white  paper  at 
passwords.hidglobal.com 


hidglobai.com 


ACCESS  logic. 


>>  DISCUSSION 


As  we  get  higher  quality  data,  we  can 
make  decisions  that  help  us  align  with  the 
risk  appetite  of  the  business  by  measuring 
the  difference  between  current  state  and 
targets.  Then  envision,  as  Mark  Curphey 
speaks  of,  is  using  business  process  man¬ 
agement  tools  to  automate  the  remediation 
workflow.  There  all  kinds  of  places  this 
information  can  take  us,  but  we  have  to 
start  using  what  we  have  and  not  just  sit 
around  hoping  for  a  day  of  “better  data.” 

-Ed  Beilis 

BLOG  POST 

Rebuilding 
the  Case  for 
Cybersecurity 

Over  the  past  few  months, 
I’ve  discussed  security  top¬ 
ics  with  professionals  from 
across  America.  I  keep  hear¬ 
ing  the  same  questions:  How 
do  we  build  (or  rebuild)  the  case  for  improv¬ 
ing  cybersecurity  during  this  economic 
downturn?  Why  aren’t  more  companies  (or 
governments)  hiring  certified  security  pro¬ 
fessionals  right  now?  Why  can’t  my  security 
program  get  any  respect  from  upper  man¬ 
agement?  Should  I  just  sit  back  and  ride  out 
the  recession  by  waiting?  Why  doesn’t  my 
management  get  it?  Or,  getting  even  more 
personal,  why  can’t  I  find  a  security  job? 
Bottom  line— with  all  of  the  ID  theft,  fraud 
and  hacker  stories,  why  are  they  cutting  my 


security  budget? 

Yes,  there  are  plenty  of  good  answers. 
Hundreds  of  articles  and  white  papers 
have  been  written  over  the  past  few  years 
on  return  on  investment  (ROI)  for  security, 
the  fear,  uncertainty  and  doubt  (FUD)  fac¬ 
tor,  focusing  on  risk  assessments  and  ways 
to  leverage  HIPAA  and  other  compliance 
efforts.  I’ve  used  each  of  these  approaches 
over  the  years  to  sell  security  projects,  and 
we  still  need  to  apply  similar  arguments. 

But  can  we  be  doing  more  to  improve 
our  chances?  More  important,  should  we 
act  differently  moving  forward?  I  think  we 
need  to  focus  on  our  language.  What  are 
the  enterprise  priorities  and  the  words  we 
say  to  describe  those  priorities?  Good  secu¬ 
rity  execs  have  learned  that  they  need  to  be 
discussing  how  to  enable— not  disable— 
and  offer  secure  alternatives,  but  what  are 
we  enabling? 

My  point  is  that  we  need  to  rethink  the 
words  we  use  to  sell  security  (or  any  other 
technology  initiative)  in  this  new  environ¬ 
ment.  Despite  their  validity,  the  old  argu¬ 
ments  for  security  often  fall  short  today 
when  everyone  is  cutting.  Success  usually 
starts  with  the  right  words  on  the  agenda 
for  important  meetings  with  key  stakehold¬ 
ers.  Use  the  wrong  words,  and  that  urgent 
threat  discussion  may  never  even  occur.  I’m 
not  talking  about  spin,  but  allowing  secu¬ 
rity  and  risk  to  be  incorporated  into  hot 
projects.  Focus  on  their  agenda,  and  you 
will  be  more  successful. 

What  are  your  thoughts?  Any  good  war 
stories  about  selling  security  to  execs? 

-Dan  Lohrmann 


HOWTO 

REACH 

US 

You  can  contact  us 
directly  or  post  your 
thoughts  on  specific 
articles  and  blogs  at 
www.CSOonline.com. 

Derek  Slater,  Editor  in  Chief 
dslater@cxo.com 
508  935-4213 
Twitter:  ©derekcslater 

Bill  Brenner,  Senior  Editor 
bbrenner@cxo.com 
508  988-7587 
Twitter:  @billbrenner70 

Joan  Goodchild,  Senior  Editor 
jgoodchild@cxo.com 
508  988-7994 
Twitter:  ©msjoanieg 

Subscriber  Services 

Phone:  866  354-1125 
Fax:  847  564-9453 
E-mail:  cso@omeda.com 

Reprints  &  Permissions 

For  information  about  reprints 
and  copyright  permissions, 
please  contact  The  YGS  Group, 
800  290-5460,  ext.  150, 
cso@theygsgroup.com. 


MORE  ON  THE  WEB 

Experts  Only:  Time  to  Ditch  the  Antivirus? 

“As  an  experienced  security  guy,  I  have  no  faith  in  most  of  the  AV 
packages  out  there  because  they’re  completely  reactive,  offer 
little  advance  protection,  massively  increase  the  attack  surface 
and  have  a  long  history  of  vulnerable  ActiveX  controls.  I’ve  never 
used  AV  software  and  I’ve  never  once  been  infected  with 

a  virus/'  -DAVID  LITCHFIELD,  a  leading  database  security  expert 

www.csoonline.com/article/495827 


lO  www.csoonline.com  July/August  2009 


ASIS  Solutions  Can  Help  You  Rest  Easier 


While  the  economy  is  down,  threats  are  on  the  rise.  Because  security  challenges  never  end,  ASIS  2009’s 
vast  Exhibit  Hall  delivers  up-to-date  solutions  to  mitigate  every  risk  in  every  spectrum  of  security,  from 
vertical  industries  to  government  to  private  to  international.  With  some  850  manufacturers,  service 
providers,  entrepreneurs,  and  visionaries  on  hand,  this  is  the  one  place  that  you  can  test  and  compare 
products  and  services  side  by  side — and  uncover  the  very  best  tools  to  counter  the  risks  you  face.  From 
advanced  knowledge  to  the  discovery  of  cutting-edge  technology  to  propel  you  forward,  no  other  show 
can  deliver  such  an  immediate  return  on  your  investment  and  ensure  a  future  of  growth. 


To  register  or  learn  more,  visit  www.asisonline.org/asis2009  or  call  +1.703.519.6200 


Condoleezza  Rice,  Secretary  of  State  (2005-2009) 

Wednesday,  September  23,  8:00  am-9:00  am 

ASIS  2009  presents  a  rare  opportunity  to  come  face-to-face  with  a  powerful 
and  respected  woman  who  has  influenced  some  of  the  most  significant 
foreign  policies  of  our  time.  Spend  an  hour  with  Condoleezza  Rice  as  she 
shares  compelling  stories  of  her  extraordinary  experiences  and  a  sweeping 
look  at  global  affairs. 


ASI  S  I  NT 

55th  Annual  Seminar  and  Exhibits 

September  21-24,  2009  I  Anaheim.  CA 
www.asisonline.org/asis2009 


Introducing  ASIS  Accolades — a  new 
awards  program  to  recognize  the  security 
industry’s  best  and  brightest! 


I  % 


m 


■ 


There  are  a  number  of  ways  to  protect  your  network, 
The  first  should  be  to  give  CDW  a  call. 


Tot'4  Pfts.tetiion 


McAfee 


We're  there  with  the  security  solutions  you  need. 

Security  threats  won't  get  on  your  network  if  they  can't  get  to  the  network.  That's  why  client  security 
is  so  important.  CDW  has  a  wide  selection  of  top-name  firewall  protection,  antivirus,  antispyware, 
intrusion  prevention  and  more.  Our  personal  account  managers  along  with  our  highly  trained  technology 
specialists  have  the  expertise  you  need  to  ensure  your  network  is  fortified  and  secure.  So  call  CDW  today. 
And  eliminate  threats  before  they  even  become  threats. 


CDW.com  800.399.4CDW 


Licensing  requires  a  minimum  purchase  of  five  licenses;  includes  one-year  Maintenance  (12x5  telephone  and  online  technical  support,  virus  pattern  updates 
'  and  product  version  upgrades).  'Essential  Support  includes  24x7  technical  phone  support  and  upgrade  insurance;  call  your  CDW  account  manager  for  details. 
Licensing  requires  a  minimum  purchase  of  11  licenses;  includes  one-year  Gold  Support  (24x7  technical  support,  upgrade  protection  and  virus  definition 
updates).  Offer  subject  to  CDW's  standard  terms  and  conditions  of  sale,  available  at  CDW.com.  ©2009  CDW  Corporation 

■0^4  ■'  .  '  '•■■■ 


CDW} 

The  Right  Technology.  Right  Away. 


Symantec™  Protection  Suite 
Enterprise  Edition 


•  Secure  your  environment  against  data  loss,  malware 
and  spam  by  accurately  identifying  and  addressing 
risks  consistently  across  different  platforms 

•  Reduce  the  time,  cost  and  expertise  needed  to  manage 
multiple  technologies 

•  Adapt  to  risks  faster  and  take  action  within  minutes 
with  the  Symantec  Global  Intelligence  Network 


50-99  user  license  with  one-year  Essential  Support2 
$59.99  CDW  1732734 


51-100  user  license  with  1  Year  Maintenance3 
$129.99  CDW  1389449 


McAfee®  Total  Protection  for  Data 


Trend  Micro™  OfficeScan™  10 
Client-Server  Suite  Advanced 


•  Lowers  security  risks  by  blocking  noncompliant 
devices  from  accessing  the  network 

•  Secures  network  traffic  by  blocking  worms  and 
BOTs  with  highly  effective  vulnerability  signatures 

•  Reduces  damage  by  isolating  infected  network 
segments  to  minimize  damage 


•  Prevents  unauthorized  access  and  transfer  of 
sensitive  information 

•  Strong  encryption,  authentication,  data  loss 
prevention  and  policy-driven  security  controls 

•  Centralize  your  security  management  and 
ensure  continual  file  and  folder  protection 


51-250  user  license  with  one-year  Maintenance1 
$49.99  CDW  1751056 


* 


TREND 


“Oh,  my  God.  He just  said  botnet!' ’ 


Edited  by  Bill  Brenner 


THREAT  WATCH 


Cyberwar:  Is  Offense 
the  New  Defense? 

Many  experts-including  some  in  the 
military-argue  that  cyberweapons  could 
make  our  networks  safer.  But  will  they? 

Eight  months  after  it  started  spreading,  the  Conficker  worm 
remains  on  hundreds  of  thousands,  if  not  millions,  of 
computer  systems.  While  the  furor  over  the  worm  has  died 
down,  worries  over  the  capabilities  of  the  sleeper  botnet 
continue  to  concern  cybersecurity  experts. 

The  call  to  do  something  about  the  latent  threat  is  growing 
louder.  In  June,  two  German  researchers-Felix  Leder  and 
Tillmann  Werner,  PhD  students  at  the  University  of  Bonn-advo¬ 
cated  attacking  back  at  the  botnet  before  it’s  used  for  another  purpose. 

“Most  countermeasures  nowadays  are  reactive;  you  wait  for  an 
attack  to  happen,  and  then  you  take  the  countermeasure,”  Werner  said 
in  June  at  the  Conference  on  Cyber  Warfare,  an  event  held  by  the  Coop¬ 
erative  Cyber  Defence  Centre  of  Excellence  in  Tallinn,  Estonia.  “We  need 
something  that  will  stop  the  attack  in  advance.” 

(Go  to  www.csoonline.com/article/348317to  see  what  a  botnet  looks 
like.) 

The  two  students  are  well-known  among  security  researchers. 

In  March,  they  discovered  a  way  to  detect  Conficker-infected 
machines  using  network  scanning,  a  method  that 
allowed  defenders  to  detect  and  remove  a  large  number 
of  compromised  hosts. 

In  their  latest  research,  Leder  and  Werner  have 
focused  on  four  sophisticated  botnets-Conficker, 

Waledac,  Storm  and  Kraken-and  claim  that  they  have 
learned  enough  about  each  one  to  successfully  attack  and 
dismantle  the  malicious  networks. 

“We  could  do  disinfection  like  an  outbreak,”  Leder  said. 

The  concept,  which  brings  to  mind  past  calls  for  “good  worms”  to 
combat  fast  spreading  infections,  is  resonating  with  cyberpolicy  experts 
and  military  strategists,  many  of  whom  want  to  draft  rules  for  the  use 
of  preemptive  cyberattacks  against  potential  threats-whether  it’s  a 
botnet,  online  criminal  gang  or  nation-state. 

Two  U.S.  government  officials  attending  the  Conference  on  Cyber 


Warfare  argued  that  the  United  States,  for  one,  needs  to  start  making 
the  hard  policy  decisions  that  would  allow  for  offensive  tactics  in  cyber¬ 
space.  Both  officials  asked  that  their  names  and  organizations  not  be 
used  so  they  could  talk  freely. 

It’s  logical  to  assume  that  the  U.S.  and  other  countries  that  actively 
pursue  cyberoffense  would  have  capabilities  at  least  as  good  as  the 
attacks  of  cybercriminals,  says  Herbert  S.  Lin,  study  director  for  the 
National  Research  Council’s  Committee  on  Offensive  Information 
Warfare.  “We  seem  to  be  developing  cybercapabilities  to  improve  our 
overall  military  posture,”  Lin  says.  “Sometimes  you  have  to  take 
the  offense  to  defend.” 

(Read  “Cyber  Conflict— The  Modern  Gold  Rush”  at 
www.csooniine.com/articie/494306 .) 

While  the  policy  surrounding  cyberattack  capabili¬ 
ties  is  still  nascent,  such  technologies  would  give  more 
choices  to  policy  makers,  Lin  and  others  on  the  Commit¬ 
tee  on  Offensive  Information  Warfare  state  in  a  report  that 
will  be  published  later  this  year  by  the  National  Academies  Press. 

But  not  everyone  agrees. 

Ned  Moran,  a  consultant  with  Booz  Allen  Hamilton,  argues  that  the 
idea  has  considerable  weaknesses.  While  a  massive  cyberattack  that 
takes  down  large  portions  of  the  Internet  and  causes  devastation  among 
data  could  be  similar  to  a  nuclear  attack,  ongoing  cyberespionage  more 
closely  resembles  a  Cold  War  analogy,  he  says. 

-Robert  Lemos 


Illustration  by  Veer 


July/August  2009  www.csoonline.com  13 


>>  BRIEFING 


PHYSICAL  SECURITY 

Five  Security  Holes  at  the  Office 

We  poked  around  a  secure  building  with  social  engineering  expert  Chris  Nickerson 
and  found  several  ways  a  criminal  could  get  inside  and  access  sensitive  data 


If  you  think  the  biggest  threat  to  your  sensi¬ 
tive  information  lies  in  network  security, 
think  again.  Once  a  criminal  is  inside  a  build¬ 
ing,  there  are  limitless  possibilities  to  what 
that  person  can  access  or  damage.  Take  a  look 
at  your  building’s  security. 

How  easy  is  it  to  get  inside?  We  spent  an 
afternoon  with  social  engineering  expert  Chris 
Nickerson,  founder  of  Lares,  a  security  con¬ 
sultancy  based  in  Colorado,  to  get  an  idea  of 
some  of  the  key  vulnerabilities  a  criminal  looks 
for  in  building  security.  Our  goal  for  the  day 
was  to  choose  a  building  at  random  and  find 
ways  a  con  artist  might  be  able  to  get  inside 
the  facility  and  pretend  to  be  an  employee. 
Once  someone  is  inside,  posing  as  a  legitimate 
worker,  their  potential  to  steal  data,  hack  a 
network  or  commit  some  other  crime  is  high. 
Yet  most  offices,  even  the  most  secure,  have 
holes,  says  Nickerson. 

Of  course,  security  needs  will  vary  from 
building  to  building.  And  security  and  facility 
managers  have  to  make  their  own  individual 
determinations  about  what  kind  of  safeguards 
they  should  put  in  place.  But  with  Nickerson,  we 
aimed  to  point  out  some  of  the  things  a  social 
engineering  criminal  will  look  for  when  trying  to 
get  in  somewhere  they  have  no  right  to  be. 

First  impressions.  We  headed  to  a  build¬ 
ing  near  CSO  headquarters  to  see  what  we 
could  find.  We  chose  the  building  from  one  of 
several  options  in  the  area  that  we  knew  had  a 
secured  entrance  and  that  required  identifica¬ 
tion  to  get  inside.  Immediately  upon  walking 
onto  the  property,  Nickerson  pointed  out  that 
the  first  vulnerability  is  lack  of  external  cam¬ 
era  coverage.  “I  could  be  lurker-stalker  guy 
and  hang  out  in  woods,  beat  someone’s  badge 


out  of  them  or  steal  something,”  he  said. 

Power  supply.  The  next  place  Nickerson 
headed  was  the  building's  generator.  The 
generator  on  the  property  was  not  caged  or 
protected  externally  in  any  way.  Nickerson 
approached  the  generator  and  opened  it  with 
ease  because  it  was  unlocked.  In  addition 
to  the  obvious  gap  this  leaves  in  a  building’s 
business  continuity  and  disaster  recovery  plan, 
Nickerson  also  pointed  out  how  the  generator 
can  be  used  in  a  social  engineering  scam.  “It 
is  pretty  obvious,  now  that  we  see  a  generator, 
that  there  is  a  data  center  inside.  It’s  pretty 
easy  to  deduce  that  they  have  things  that  have 
to  stay  running,”  he  said.  “So  if  we  cut  the 
power  here,  you’ll  have  full  corporate  denial 
of  service.” 

Entryways.  Our  tour  continued  with  a 
check  of  the  back  of  the  building,  where  Nick¬ 
erson  quickly  spotted  a  smoking  section. 

It  was  clear  the  area  is  used  for  smoking 
breaks  because  there  was  a  standing  ashtray 
filled  with  used  cigarette  butts.  A  common 
tactic  for  entering  a  secured  building  unseen 
is  to  hang  out  in  the  smoking  area  and  wait 
to  be  let  in  by  an  unsuspecting  employee.  “A 
social  engineer’s  best  friend  is  a  cigarette,” 
said  Nickerson. 

A  cigarette  wasn’t  even  necessary  to  get 
into  the  building  at  this  facility.  The  back  door 
was  unlocked,  unguarded,  very  easy  to  open 
and  walking  into  the  building  was  simple. 

Parking  lots.  We  didn’t  go  poking  around 
the  cars  in  the  parking  lot,  but  Nickerson  said 
opening  unlocked  cars  is  part  of  his  Red  Team 
assessment-another  common  social  engineer¬ 
ing  strategy. 

“People  always  leave  their  cars  unlocked 


and  there  are  always  badges  and  other  stuff  in 
there.  It’s  a  good  place  to  get  in  and  get  all  the 
credentials  you  need.” 

Trash  compactor.  Our  aim  was  to  find 
ways  a  criminal  could  possibly  enter  the  build¬ 
ing  and  pull  off  a  theft  or  other  kind  of  security 
breach.  But  as  Nickerson  pointed  out,  the 
facility’s  trash  compactor  brings  the  sensitive 
information  outside  and  more  directly  into  the 
hands  of  a  thief. 

“Because  they  are  compactors,  it  usually 
means  they  hold  five  times  the  amount  of  sen¬ 
sitive  and  bad  stuff  because  they  take  forever 
to  get  emptied,”  he  said. 

A  savvy  criminal  could  rent  a  vehicle 
that  looks  like  a  legitimate  business  van  or 
car,  such  as  a  generic  white  van,  park  next 
to  the  compactor  and  “shovel  it  in,”  he  said. 
Some  even  go  as  far  as  to  make  a  decal  with 
a  business  logo  that  can  be  affixed  to  the  side 
of  the  vehicle  so  no  one  will  question  why  the 
compactor  is  being  emptied. 

Technology  makes  it  easier  than  ever  for 
someone  to  pose  as  someone  they  are  not.  It 
is  simple  now  to  go  to  a  copy  shop  or  graphics 
store  and  produce  a  business  decal  that  looks 
legitimate.  However,  one  of  Nickerson  favorite 
ways  to  prep  for  an  assignment  is  at  a  good, 
old-fashion  pawn  shop.  He  looks  for,  and  often 
finds,  shirts  and  uniforms  with  company  logos 
that  can  be  used  in  an  assessment  test. 

“You  look  at  the  facility  and  get  an  idea 
of  what  some  of  the  outs  are:  the  sprinkler 
and  lawn  care  service,  the  trash  service,  the 
internal  cleaning  services.  Try  and  get  a  profile 
of  what  they  look  like.  Then  go  thrifting  that 
day  looking  for  things.  Fifty  to  sixty  percent  of 
the  time  I  will  find  them."  -Joan  Goodchild 


14  www.csoonline.com  July/August  2009 


Illustration  by  Chicken  Stock 


OVER  $105M 

SPENT  MONTHLY 
Cleaning  Infected 

■niialilai  Computers,** 

_ 

Jfs  a  a  s  ■  ■  a  al  1111110 


Employee  Productivity  Losses 
Hit  All-Time  High:  Annual 
Costs  to  U.S.  Enterprises  j 

Over  $1  Billion  i 

continued  on  8D 


££  SI  SI  I  ILflj 


laH  il  H  I!  j 

■  asBiasaaiiBiaa  i 

■  eamiiiiiiHi  i 

■  jiaaaani  1 


Security  Update 
Costs  Soar: 

$793M 
SPENT  j 

Annually  J 


A  recent,  independent  research  study  shows  that  Trend  Micro™  Enterprise  Security,  powered  by  the  Trend 
Micro  Smart  Protection  Network™,  can  lower  your  security  management  costs  by  up  to  40%.  That's  because 
this  next-generation,  cloud-client  security  infrastructure  enables  a  unigue  combination  of  solutions  and 
services  to  stop  threats  before  they  reach  your  network,  significantly  reducing  enterprise  risk  and  productivity  loss. 
Enterprises  around  the  world  are  saving  big  and  you  can,  too.  Run  the  numbers  and  see  how  the  Trend  Micro 
Smart  Protection  Network  can  help  you  reduce  costs  without  compromising  security. 

Mi  TREND 

T  MICRO 


►  Try  our  free,  online  TCO  impact  calculator  now  at  trendmicro.com/thinkagain 


Securing  Your  Web  World 


(52009  Trend  Micro  Inc.  All  rights  reserved.  Trend  Micro  and  the  t-ball  logjLare  trademarks  or  registered  trademarks  of  Trend  Micro  Inc.  All  other  company  and/or  product  names  may  be  trademarks  or  registered  trademarks  of  their,  owners 


iriMMmu  ,<■  .  Bran: 

II  I 

jrifTr-M  0 

^  ,y 

**  II  il 

- - — J|| 

COMPLIANCE 

Universities  Cope  With  New 
Antipiracy  Requirement 

Institutions  of  higher  education  are  now  required  to  curb  file  sharing 
on  campus  or  face  the  prospect  of  losing  federal  funding 


David  Reis,  director  of  IT  security  and  policy  at 
Thomas  Jefferson  University  in  Philadelphia,  has 
been  on  what  he  calls  a  “nine-month  journey”  to 
figure  out  exactly  how  he’s  going  to  make  sure 
his  school  doesn’t  break  the  law-even  though  they 
were  never  in  trouble  in  the  first  place. 

Reis’s  headaches  began  at  the  end  of  last  summer, 
just  after  President  Bush  signed  into  law  the  Higher 
Education  Opportunity  Act  (HEOA),  the  first  reauthori¬ 
zation  of  the  Higher  Education  Act  since  1998.  The  act 
included  several  new  provisions,  but  the  one  that  has 
Reis  and  others  on  college  campuses  concerned  is  a 
new  requirement  that  schools  ensure  they  are  doing  all 
they  can  to  combat  illegal  file  sharing  among  students. 

The  new  rules,  according  to  the  wording  contained 
in  the  legislation,  requires  institutions  to  develop  plans 
to  “effectively  combat  the  unauthorized  distribution 
of  copyrighted  material,  including  through  the  use  of  a 
variety  of  technology-based  deterrents.” 

Schools  must  also,  “to  the  extent  practicable,  offer 
alternatives  to  illegal  downloading  or  peer-to-peer 
distribution  of  intellectual  property." 

Any  institute  found  to  be  noncompliant  could  lose 
federal  funding. 

The  provision  made  its  way  through  due  to  the 
heavy  lobbying  efforts  of  groups  such  as  the  Recording 
Industry  Association  of  America  and  the  Motion  Picture 
Association  of  America. 

But  Reis  says  that  illegal  file  sharing  has  never  been 
a  problem  at  Thomas  Jefferson  University,  and  the 
requirement  uses  a  broad  brush  to  paint  a  picture  that 


is  inaccurate  in  many  instances. 

“We  have  not  received  one  complaint  about  one 
student,”  he  says. 

Reis  estimates  he  will  spend  approximately 
$100,000  implementing  new  hardware  and  software  in 
order  to  be  in  compliance  with  the  regulation. 

But  figuring  out  exactly  what  is  needed  is  not  easy. 
The  HEOA  is  still  in  the  negotiated  rule-making  process, 
so  the  exact  language  and  interpretation  from  the 
Department  of  Education  is  still  forthcoming. 

“Because  the  HEOA  is  in  effect,  campuses  are  under 
an  obligation  to  make  a  good-faith  effort  to  comply 
with  the  law,”  according  to  Steve  Worona,  director  of 
policy  and  networking  programs  with  the  nonprofit 
organization  Educause,  which  supports  higher  educa¬ 
tion  institution  technologists.  “But  since  the  depart¬ 
ment  hasn’t  issued  any  detailed  regulations  of  what 
that  means,  campuses  are  pretty  much  on  their  own  to 
figure  out  what  that  means.” 

Still,  some  of  the  concern  is  misplaced,  he  says. 

One  reason  is  that  many  campuses  are  already  doing 
some  of  what  the  legislation  calls  for.  Indeed,  the  provi¬ 
sion  has  had  little  impact  on  security  practices  at  the 
University  of  Delaware.  U.D.,  which  has  a  student  body 
of  just  under  20,000.  The  school  has  had  policy  and 
other  file-sharing  deterrents  in  place  for  some  time, 
according  to  Scott  Sweren,  U.D.’s  information 
security  officer. 

“U.D.  had  procedures  in  place  to  respond  to  copy¬ 
right  violation  notices  prior  to  the  act  passing,” 
says  Sweren.  -AG. 


BY  THE 
NUMBERS 

31 

Number  of 
security  flaws 
Microsoft  patched 
in  June 

18 

Number  of 
vulnerabilities 
Microsoft  marked 
as  “critical” 

10 

Number  of 
security  updates 
Microsoft 
released  to 
address  the  31 
vulnerabilities 

90 

Percentage  of 
unsolicited,  often 
malicious  e-mail 
sent  to  corporate 
inboxes  in  April, 
according  to  a 
report  released 
by  Symantec’s 
MessageLabs 
Intelligence  Unit 

58 

Percentage  of  all 
spam  that  can  be 
traced  to  botnets, 
according  to  the 
same  report 

70 

Amount,  in  giga¬ 
bytes,  of  personal 
and  financial  data 
that  the  Torpig/ 
Sinowal  botnet 
was  able  to  lift 
from  hacked 
computers  over 
a  10-day  period, 
according  to 
researchers  from 
the  University  of 
California,  who 
gained  control 
over  the  well- 
known  and  power¬ 
ful  network  of 
hacked  computers 
for  10  days 


C 


16  www.csoonline.com  July/August  2009 


Photo  by  iStockphoto.com 


Lumensiorr 

IT  Secured.  Success  Optimized.™ 

Learn  how  to  effectively  protect  your  vital 
information  by  going  to  our  resource  center  at 
www.lumension.com/security-tip-50 

1.888.725.7828 


DATA  PROTECTION:  The  cost  of  mobility  is  high. 

Unmanaged  removable  devices,  like  USB  sticks  and  PDA’s,  put  your  data  at  risk 
through  data  leakage  and  malware  introduction.  Lumension®  Data  Protection  gives 
you  the  power  to  enable  the  secure  use  of  these  devices  -  letting  you  run  your 
business  effectively  while  protecting  your  data  on  the  go. 

Vulnerability  Management  |  Endpoint  Protection  |  Data  Protection  |  Reporting  and  Compliance 


>>  BRIEFING 


Security 
Wisdom  Watch 


A  look  at  the  people,  places  and 
things  making  an  impact-for 
better  or  worse-on  the  world  of 
infosecurity  in  the  past  month 

THUMBS  UP:  President  Obama. 
Sure,  that  cybersecurity 
coordinator  should  be  report¬ 
ing  directly  to  him  and  not  the 
national  security  advisor.  But  the 
simple  fact  that  Obama  knows  what  a 
botnet  is  can  only  be  seen  as  a  step  in  the 
right  direction. 

THUMBS  UP:  Heartland  Payment 
Systems  CEO  Robert  Carr.  He’s 
getting  high  marks  from  some 
analysts  for  his  response  to  a 
massive  data  breach  discovered 
at  the  credit-  and  debit-card  payment 
processor  earlier  this  year.  Instead 
of  stonewalling  and  making  excuses, 

Carr  has  moved  decisively  to  close  the 
security  holes  that  contributed  to  the 
breach  and  has  reached  out  to  customers 
and  industry  groups  for  feedback  on  the 
company’s  response.  CEOs  usually  hide 
when  something  like  this  happens,  which 
has  made  Carr’s  outreach  all  the  more 
refreshing. 

THUMBS  BOTH  WAYS:  DLP 

vendors.  There’s  no  doubt 
that  security  vendors 
are  twisting  the  true 
definition  of  data  loss 
prevention  to  market  their 
products.  But  in  their  defense, 
few  in  the  industry  truly  understand  how 
to  define  it  anyway. 

THUMBS  DOWN:  Twitter.  True, 
the  author  can’t  get  by  without 
his  Twitter  feed  nearby.  But  let’s 
face  it:  The  microblog  is  being 
overrun  with  digital  miscreants 
who  are  finding  plenty  of  ways  to  attack 
people  in  140  characters  or  less.  Where’s 
that  Fail  Whale  when  you  need  it? 

-B.B. 


DATA  LOSS  PREVENTION 


Security  Analyst  to  DLP 
Vendors:  Watch  Your  Language 

It  seems  that  most  security  vendors  sell  DLP  products 
these  days.  But  look  under  the  hood  and  youll  find  that 
the  technology  doesn’t  exactly  perform  as  advertised. 


Data  Loss  Prevention  (DLP)  is  all  the  rage  in  this  era  of  data  security  breaches 
and  increasingly  clever  malware  attacks.  Naturally,  every  vendor  in  the  secu¬ 
rity  market  wants  a  piece  of  the  action.  But  in  the  vendor  stampede  for  market 
share,  something  disturbing  is  happening:  Companies  are  buying  technology 
that,  once  installed,  doesn’t  offer  all  the  ingredients  of  true  DLP,  according  to  Rich 
Mogull,  former  Gartner  analyst  and  founder  of  security  consultancy  Securosis. 

“The  term  DLP  has  essentially  become  meaningless  because  of  a  variety  of  ven¬ 
dors  who  wanted  to  say  they  were  offering  it,”  says  Mogull. 

The  true  definition  of  DLP  has  always  been  somewhat  muddy.  Mogull  described 
the  acronym  as  a  buzzword  created  for  marketing  purposes.  But  it  used  to  be 
easier  to  tell  when  a  company  was  truly  offering  it.  Mogull's  definition  of  DLP  goes 
something  like  this:  “products  that  as  a  minimum  identify,  monitor  and  protect  data 
in  motion,  at  rest  and  in  use  through  deep  content  analysis.” 

The  tool  identifies  the  content,  monitors  its  usage  and  builds  defenses  around 
it.  There  are  many  of  vendors  who  perform  some  of  these  functions.  But  unless  they 
tackle  everything  in  the  above  definition,  Mogull  says  it’s  not  truly  DLP. 

“Encryption  and  endpoint  control  vendors  call  what  they  do  DLP,”  he  says.  “A  fire¬ 
wall  does  some  of  what  the  concept  entails.  All  of  these  tools  are  helpful  in  different 
areas  of  security,  but  they  are  not  DLP.” 

Of  course,  when  a  vendor  doesn’t  offer  technology  that  purely  tackles  what 
everyone  is  clamoring  for,  a  common  solution  is  to  buy  up  a  vendor  who  has  what 
they  need  and  bake  it  into  the  product  line.  Symantec  muscled  its  way  into  the  DLP 
space  by  acquiring  Vontu,  a  company  Mogull  sees  as  an  early  leader  of  true  DLP 
technology.  Meanwhile,  RSA  snatched  up  Tablus  (now  part  of  the  RSA  Data  Loss 
Prevention  Suite)  and  McAfee  bought  Reconnex.  Then  there  was  the  Websense 
acquisition  of  PortAuthority  Technologies  and  CA’s  acquisition  of  Orchestria.  There 
are  still  a  few  independent  DLP  vendors  out  there,  Mogull  says,  including  Vericept 
and  Code  Green  Networks. 

Then  there  are  the  vendors  who  offer  important  pieces  of  the  DLP  puzzle  but 
don’t  do  everything  necessary  (under  Mogull’s  definition,  at  least)  to  call  themselves 
DLP  providers. 

Of  course,  like  any  technology,  the  perception  of  what  is  truly  DLP  depends  on 
who  you  ask.  Imran  Minhas,  information  security  officer  at  the  National  Bank  of 
Kuwait,  says  that  in  his  personal  opinion,  DLP  means  anything  that  keeps  confiden¬ 
tial,  restricted  or  internal-use  data  from  being  leaked.  -B.B. 


18  www.csoonline.com  July/August  2009 


Photo  by  iStockphoto.com 


VENDOR  NEWS 

Symantec,  McAfee 
to  Pay  Fines  Over 
Auto-Renewals 

The  companies  will  pay  $375,000  each 
and  improve  business  practices 

Antivirus  vendors  Symantec  and  McAfee  have 
agreed  to  pay  the  New  York  Attorney  General's 
office  $375,000  in  fines  to  settle  charges 
that  they  automatically  charged  customers 
software  subscription  renewal  fees  without  their 
permission. 

Investigators  found  that  the  two  companies  had 
"failed  to  adequately  disclose  to  consumers  that  sub¬ 
scriptions  would  automatically  be  renewed  and  that 
consumers  would  be  charged,”  the  office  of  Andrew 
Cuomo  said  in  a  statement  in  June  announcing  the 
settlement.  “Companies  cannot  play  hide  the  ball 
when  it  comes  to  fees  consumers  are  being  charged.” 

In  addition  to  paying  the  settlement  fine,  Syman¬ 
tec  and  McAfee  will  now  make  better  disclosures  about  subscription 
renewal  fees  when  customers  sign  up,  the  attorney  general’s 
office  said. 

Security  companies  have  been  offering  automatic  renewals  to 
their  customers  for  nearly  a  decade  now,  but  in  the  past  few  years  it’s 
become  much  more  common  in  the  antivirus  industry.  McAfee  and 
Symantec  say  that  they  prevent  customers  from  having  out-of-date 


antivirus  software  on  their  computers. 

That  may  make  customers  safer,  but  it  also  makes  company  inves¬ 
tors  happy  because  renewal  fees  keep  rolling  in. 

Symantec  began  enrolling  North  American  customers  in  auto¬ 
matic  renewal  by  default  in  November  2005,  and  has  since  expanded 
the  practice  worldwide. 

McAfee  began  the  practice  in  2001.  Under  these  programs, 

customers  pay  up-front  for 
a  one-year  subscription 
and  then,  a  year  later,  are 
automatically  billed  for  the 
next  year’s  service. 

The  companies  say  they 
have  been  working  with 
Cuomo’s  office  for  the  past 
two  years  to  improve  prac¬ 
tices,  and  they  have  now 
made  it  easier  to  under¬ 
stand  and  opt  out  of  their 
respective  auto-renewal 
features. 

For  example,  Symantec 
has  now  modified  its  online 
shopping  cart  to  include 
better  disclosures  and  an 
explanation  of  how  to  opt  out  of  the  program. 

Norton  users  who  want  to  unsubscribe  from  Symantec’s  program 
can  do  so  on  their  Norton  Account  webpage,  Symantec  said. 

If  you’re  a  U.S.  McAfee  user,  you  can  call  customer  support  at 
866-622-3911. 

Both  companies  will  now  refund  auto-renewal  fees  within  60  days 
of  the  charge,  Cuomo’s  office  said.  -Robert  McMillan 


New  York  Attorney  General  Andrew  Cuomo 


TACTICS 


By  Mary  Braudel 


Choosing  Enterprise  Antivirus 

In  the  company  setting,  there’s  much  more  to  consider  than  just 
speed  and  accuracy—though  those  are  important  too 


Antivirus  has  been  around— 
well,  nearly  as  long  as 
viruses.  But  thanks  to  the 
ever-growing  variety  of 
threats  to  the  PC  environ¬ 
ment,  this  is  a  fast-changing  market  that  is 
undergoing  two  major  trends: 

l.  Movement  beyond  signature- 
based  protection.  Malware  is  constantly 
growing  and  mutating,  making  it  impos¬ 
sible  for  vendors  to  identify  and  protect 
against  individual  threats  using  signatures. 
Consider  that  in  the  spring,  Symantec 
announced  it  had  detected  nearly  1.7  million 
malicious  code  threats  since  it  began  track¬ 
ing  them  in  2007,  representing  a  265  percent 
growth  in  malicious  code  signatures. 

In  addition  to  signatures,  vendors  now 
use  additional  techniques,  such  as  appli¬ 
cation  control  (also  called  whitelisting), 
which  allows  only  approved  code  to  run; 
and  host  intrusion  protection  systems 
(HIPS),  also  called  heuristics,  which  moni¬ 
tors  code  behavior.  If  behavior  deviates 
from  “normal,”  HIPS  deems  it  suspicious 
or  malicious  and  prevents  it  from  running. 
HIPS  works  in  preexecution  mode,  runtime 
mode  or  both. 

2.  Expanded  functionality.  Many  of 
the  large  antivirus  software  vendors  have 
expanded  their  stand-alone  tools  into 
suites  that  not  only  guard  against  malware 
but  protect  against  hackers  and  data  loss. 
“The  general  trend  is  that  security  soft¬ 


ware  on  the  endpoint  is  getting  fatter  and 
more  fully  functional,”  says  John  Oltsik,  an 
analyst  with  Enterprise  Strategy  Group 
(ESG).  Specifically,  antivirus,  antispyware 
and  firewall  software  is  merging  with  end¬ 
point  operations,  data  loss  prevention  and 
full-disk  encryption,  he  says.  Another  capa¬ 
bility  that  is  commonly  offered  is  network 
access  control,  adds  Natalie  Lambert,  an 


analyst  at  Forrester  Research.  These  tools 
control  client  access  to  networks  based  on 
their  compliance  with  policy,  she  says. 

In  some  cases,  vendors  are  also  merg¬ 
ing  security  with  operational  functionality, 
such  as  patch  and  configuration  manage¬ 
ment,  endpoint  provisioning  and  backup. 
‘The  larger  vendors  will  sell  security  alone, 
but  they’re  convincing  customers  that  they 


20  www.csoonline.com  July/August  2009 


Illustration  by  Steve  Traynor 


SECURITY 


TM 


NEWSLETTER 


Security  Smart  is  a  quarterly  security  awareness  newsletter  ready 
for  distribution  to  your  employees — saving  you  precious  time  on 
employee  education!  The  compelling  content  combines  personal 
and  organization  safety  tips  so  is  applicable  to  many  facets 
of  employees'  lives.  And  the  easy  to  read  design  has  multiple 
entry  points  so  you  are  assured  that  your  intended  audience  of 
employees — your  organization's  most  valuable  assets — will  read 
and  retain  the  information. 


K'Ty 


in*  i 


f°//vG 


yOUR 


S$CUf> 


!avea  c» 

■ Qo  O f  n«  “  av°id  trrs.  Vnetf  h.~ 


N  £  u 


YAT 


S  L  F 


^aNd 


Subscribe  today! 


To  view  a  sample  issue  of  the  newsletter,  learn  about  the 
delivery  options  and  to  subscribe  visit: 

www.SecuritySmartNewsletter.com 


/ 


/  z^,OJua 

*"*  ....  .*•&«,£ "“'In, 


ATH( 


'OHi£ 


I 


0/0 

77)0 


V'Oo 


«»8£r  jSSS^s-  as 


,‘»«s 


j?3§£^ 


Us. 


- .  rv 

i 


vu.Srhi  "°‘® 

"^006 

Swii 


"Vo.  "S*/**  Z*** 


an9er0Us 


ll*** 


^w»l  ( 


rf-0* 

C4 

^■00 


^tv. 


^  , 


For  more  information  please  visit 

www.SecuritySmartNewsletter.com 

Security  Smart  is  published  by  CS0,  a  business  unit  of  CX0  Media.  ©  2007  CX0  Media  Inc. 


cso 


BUSINESS  RISK  LEADERSHIP 


>>  TOOLBOX 


ought  to  manage  it  all  as  one  thing,”  Oltsik 
says.  It  will  be  a  slow  uptake,  he  says.  “Right 
now,  the  products  and  technology  are  two 
years  ahead  of  where  IT  organizations  are,” 
he  says. 

DOS  and  DON’Ts 

DO  consider  the  suite  advantage. 

According  to  Lambert,  the  prime  AV  dif¬ 
ferentiation  is  what  vendors  are  bundling 
into  their  client  security  suites.  Increas¬ 
ingly,  as  users  face  challenges  ranging  from 
malicious  code  to  data  loss  and  insecure 
machines  connecting  to  the  corporate  net¬ 
work,  they  want  to  solve  them  in  a  single 
sweep,  not  with  point  products.  “Every 
product  you  put  on  the  machine  will  slow 
it  down  more,  add  another  console  to  man¬ 
age  and  add  another  license  and  something 
you  have  to  buy,”  Lambert  says.  “Why  take 
the  hit  several  times  when  you  can  get  a  less 
expensive  product  with  more  capabilities 
from  one  vendor?” 

The  director  of  information  security  at 
a  large  manufacturer  of  packaged  foods 
agrees.  He  says  his  company  has  been  able 
to  reduce  the  number  of  security  products 
his  organization  manages  as  Trend  Micro 
has  added  features  and  capabilities,  such 
as  client  firewall  management  and  spyware 
removal.  Whereas  his  organization  used  to 
have  five  or  six  consoles  to  manage  security 
products,  it  is  now  down  to  two. 

Michael  Bell,  senior  network  engineer  at 
marketing  firm  CMS  Direct  in  Minneapolis, 
values  the  fact  that  Sophos  includes  many 
layers  of  security  in  one  package;  in  fact, 
he’s  looking  forward  to  Sophos  integrating 
a  client  firewall,  which  is  currently  offered 
as  a  separate  module. 

DON’T  accept  poor  performance. 
Antivirus  software  is  renowned  for  being 
a  resource  hog,  but  some  vendors  are  put¬ 
ting  a  premium  on  being  performance- 
oriented.  For  instance,  according  to  Bell, 
Sophos  uses  techniques  such  as  indexing 
to  perform  fewer  resource-intensive  scans. 
Robert  Amos,  manager  of  infrastructure 
systems  at  NuStar  Energy,  also  sees  per¬ 
formance  improvements  over  his  former 
system  now  that  he  uses  Microsoft  Fore¬ 
front.  A  lot  of  antivirus  products  he’s  used 
had  huge  performance  issues,  he  says,  but 
Forefront  performs  a  scan  every  six  hours, 
and  Amos  says  he’s  not  always  aware  when 
it’s  running. 


DO  investigate  whitelisting.  White¬ 
listing,  or  application  control,  is  an  emerg¬ 
ing  capability  that  Lambert  says  is  superior 
to  HIPS  because  it  prevents  malware  from 
running  on  systems  rather  than  monitoring 
activity.  With  whitelisting,  administrators 
maintain  a  list  of  approved  applications 
for  their  environment,  disallowing  non- 
approved  software  from  running. 

The  problem  with  whitelisting,  says 
Oltsik,  is  that  in  a  Web  2.0  world,  people 
often  download  new  software,  whether  for 
their  own  productivity  or  their  personal  use. 
It  may  work  well  in  a  fixed  function,  such  as 
order  entry  or  the  call  center,  he  says,  but  if 
you  have  people  communicating  with  out¬ 
side  partners,  or  marketing  people  doing 
research,  “you’ll  be  forever  getting  calls 
from  people  who  are  trying  to  download 
and  can’t,”  he  says.  “The  question  is  how 
draconian  you  want  to  be  in  your  enforce¬ 
ment,”  he  says.” 

DO  research  other  emerging  client 
security  tools.  In  addition  to  whitelist¬ 
ing,  according  to  Lambert,  there  are  four 
additional  emerging  tools  that  should  be 
considered  in  endpoint  protection,  as  they 
solve  more  complex  threats.  These  include 
device  control,  which  lets  administrators 
create  policy  around  acceptable  devices 
that  can  or  can’t  be  accessed  by  a  PC;  full- 
disk  encryption,  which  encrypts  the  hard 
drive  when  the  machine  is  shut  down;  file 
encryption,  which  protects  individual 
files  when  users  save  them  to  a  designated 
location;  and  data  leak  prevention,  which 
monitors  and  enforces  data  usage  policy. 
Typically,  less  than  30  percent  of  organiza¬ 
tions  have  invested  in  these  tools,  she  says, 
but  security  managers  should  begin  to 
experiment  with  them. 

DON’T  give  up  on  HIPS.  Although 
HIPS  solutions  are  still  immature  and 
have  a  high  false-positive  rate,  they  should 
still  be  paired  with  antimalware  solutions, 
Lambert  says.  She  sees  application  con¬ 
trol  eventually  replacing  HIPS  but  says  it 
will  still  be  useful  in  protecting  machines 
against  problems  like  buffer  overflows. 

At  CMS  Direct,  Bell  is  happy  that  Sophos 
offers  HIPS  capabilities  as  part  of  its  scan¬ 
ning  engine.  He  uses  it  to  block  downloads 
of  potentially  unwanted  applications,  such 
as  adware.  Instead  of  the  system  automati¬ 
cally  blocking  applications  that  act  suspi¬ 
ciously,  he  says,  you  can  choose  to  be  alerted 


SELECTION 

CRITERIA 

Enterprise  AV  considerations, 
according  to  Burton  Group 
analyst  Dan  Blum: 

Price.  Inquire  about  annual  subscrip¬ 
tion  costs  and  additional  charges  for 
antispyware,  cleaning,  host  intrusion 
protection  system  capabilities,  etc.  Ask 
whether  suite  pricing  is  flexible  if  you 
don’t  require  every  module. 

Scanning  engine.  Are  there  multiple 
agents  for  antivirus,  antispyware, 
application  control,  etc.?  If  so,  do  they 
cause  management  or  performance 
inefficiencies? 

Behavior-blocking  functionality. 

Does  the  system  monitor  system  calls 
to  prevent  vulnerability  exploitation 
attempts? 

System  firewall.  Does  it  provide 
blacklists  and  whitelists  for  addresses 
and  domains? 

Application  control  (whitelist¬ 
ing).  Does  it  provide  up-to-date  and 
customizable  whitelists  and  blacklists? 

A  learning  engine? 

Cleaning/remediation.  Does  it  pro¬ 
vide  virus,  spyware  and  difficult  rootkit 
cleaning? 

Client  updates.  How  large  and 
frequent  are  signature  and  other 
updates?  This  can  range  from  one  per 
day  to  multiple  updates  per  day. 

and  then  use  the  centralized  policy  manage¬ 
ment  capability  to  either  authorize  the  use  of 
the  flagged  applications  or  block  them. 

DO  consider  reputation  services. 
As  part  of  its  work  to  displace  other  tools 
in  its  environment  with  the  capabilities 
offered  by  Trend  Micro,  the  packaged  food 
company  is  testing  the  vendor’s  reputation 
services  capabilities  to  see  if  it  can  replace 
its  current  URL  filtering  tool.  Reputation 
services  works  by  checking  every  Web 
address  that  users  attempt  to  visit  and 
blocking  access  to  those  found  in  a  list  of 
known  malicious  sites. 

DO  value  ease-of-use.  No  one  has 


22  www.csoonline.com  July/August  2009 


extra  resources  to  apply  to  security,  which 
makes  ease-of-use  an  important  issue.  That 
means  vendors  are  paying  more  attention 
to  dashboards  and  easier  reporting,  man¬ 
agement  and  deployment. 

Bell  is  impressed  with  his  product’s 
central  management  and  at-a-glance  dash¬ 
board,  as  he  can  quickly  see  when  clients 
are  out  of  compliance.  Bell  says  he  didn’t 
use  the  dashboard  feature  of  his  former 
software  because  it  was  not  easy  to  under¬ 
stand;  clients  would  sometimes  report 
that  their  upgrades  were  30  days  out  of 
date.  “Within  five  minutes,  you  can  see  that 
everyone  is  updated,”  he  says. 

Similarly,  the  director  at  the  food  manu¬ 
facturer  says  advanced  reporting  modules 
have  eased  the  job  of  reporting  to  senior 
managers  on  network  protection.  Previ¬ 
ously,  reporting  required  manual  compila¬ 
tion  of  multiple  reports.  Today,  reporting  is 
automated  and  posted  to  the  intranet. 

DO  consider  multiple  scanning 
engines.  No  scanning  engine  is  perfect, 
which  is  why  some  vendors  (for  example, 
Microsoft  and  Symantec)  are  starting  to  use 
multiple  scanning  engines  to  increase  the 
chances  of  catching  malware.  “Different 
engines  have  different  blind  spots,”  says  Dan 
Blum,  an  analyst  with  the  Burton  Group. 

With  Forefront’s  multiple  scanning 
engines,  it’s  like  choosing  two  different 
companies  for  their  scanning  abilities  and 
putting  both  on  one  machine,  says  Amos. 
“If  one  is  a  little  bit  weaker  at  detecting  mal¬ 
ware  than  the  other,  you  get  double  pro¬ 
tection,”  he  says.  He  plans  to  roll  out  four 
different  agents  for  scanning. 

DO  consider  software  as  a  service. 
As  in  other  product  areas,  many  vendors 
are  delivering  some  antivirus  capabilities 
as  a  service,  such  as  antimalware,  repu¬ 
tation  services,  signature  updating  and 
reporting.  This  can  be  more  cost-effective, 
and  although  larger  enterprises  may  keep 
most  capabilities  in-house,  according  to 
Blum,  users  might  adopt  a  hybrid  model  in 
which  they  use  on-premises  systems  for  the 
centralized  workforce,  but  SaaS  for  users  in 
outlying  offices. 

In  some  cases,  vendors  are  using  a 
hybrid  software  and  services  model  to  offer 
additional  or  beefed-up  capabilities,  such  as 
multiple  scanning  engines  or  a  reputation 
database.  “It’s  a  way  to  provide  something 
much  greater  than  what  you  can  cram  on  a 


single  CD,”  Blum  says. 

DO  have  a  zero-day  attack  strat¬ 
egy.  A  major  weakness  with  today’s  sys¬ 
tems  is  protection  against  zero-day  attacks. 
“There’s  a  pretty  high  failure  rate,  as  high  as 
50  percent,  when  a  typical  package  is  faced 
with  a  new  type  of  malware  it  hasn’t  seen 
before,”  Blum  says. 

The  packaged  food  company  offsets 
the  problem  through  a  desktop  lockdown 
strategy.  Working  on  the  premise  that  most 
malware  operate  by  trying  to  write  to  the 
registry,  the  system  folder  or  the  root  of  the 
drive,  the  company  has  configured  its  desk¬ 
tops  to  prohibit  that  behavior. 

For  Amos,  Microsoft’s  quick  response 
played  a  big  role  in  choosing  Forefront. 
When  running  a  pilot  of  Forefront,  some 
of  the  workstations  in  the  environment 
became  very  sluggish.  The  existing  antivi¬ 
rus  software  did  not  detect  anything,  but 

One  way  to  keep 
costs  down  is  to  get 
as  much  coverage  as 
possible  with  one 
system. 

when  his  team  put  Forefront  on  one  of  the 
workstations,  it  detected  the  Conficker 
virus  and  helped  isolate  the  machine.  “We 
had  30  machines  infected,  but  we  were  able 
to  keep  it  from  spreading,”  he  says.  “That 
was  a  big  selling  point.” 

DON’T  forget  malware  removal 
capability.  It’s  one  thing  to  detect  a  virus 
and  quite  another  to  clean  up  the  damage. 
A  big  reason  Bell  chose  Sophos  is  because 
in  the  years  he  was  using  other  systems, 
such  as  Trend  Micro,  McAfee  and  Syman¬ 
tec,  he  always  noticed  that  Sophos  offered 
removal  tools  before  other  vendors  did.  In 
fact,  after  being  infected  twice  in  the  last 
couple  of  years  by  a  virus  that  caused  his 
company’s  PCs  to  send  spam,  he  used  tools 
from  Sophos  to  remove  it.  “That  protection 
became  a  big  deciding  factor  for  our  com¬ 
pany  to  switch  over,”  he  says.  His  current 
system  didn’t  recognize  the  virus,  he  says. 

Similarly,  Amos  says  Forefront’s  cleanup 
and  removal  capabilities  are  superior  to  his 
former  system’s.  “It  would  notify  us  but 
was  unable  to  clean  it  because  what  was 
infected  was  an  open  file  or  a  system  file  that 


it  couldn’t  act  on,”  he  says.  It  required  the 
desktop  group  to  boot  the  machine  in  safe 
mode  and  manually  remove  entries  in  the 
registry  or  delete  files.  With  Forefront,  that 
work  is  unnecessary,  reducing  labor  by  one 
headcount  in  the  desktop  group,  he  says. 

DO  consider  costs  carefully.  With 
ever-expanding  security  needs  on  the  desk¬ 
top,  users  are  seeking  ways  to  reduce  costs. 
According  to  Lambert,  a  best-of-breed  cli¬ 
ent  security  tool  such  as  antimalware  has 
an  average  list  price  per  PC  of  $40  and  up  to 
$80  for  full-disk  encryption. 

One  way  to  keep  costs  down  is  to  get 
as  much  coverage  as  possible  with  one 
system.  The  food  company,  for  instance, 
has  reduced  its  total  cost  of  ownership  by 
reducing  the  number  of  security  consoles  it 
needs  to  manage. 

Amos  is  enjoying  cost  savings  of  $35,000 
per  year  by  using  Forefront,  mainly  because 
of  a  change  in  Microsoft’s  licensing  policy. 
His  company  had  been  using  Forefront  to 
protect  SharePoint  and  Exchange,  but  he 
didn’t  even  consider  this  software  when 
he  was  researching  new  antivirus  software 
for  the  PC  environment.  This  was  mainly 
because  the  PC  and  server  environments 
were  administered  through  separate  infra¬ 
structures.  His  top  reason  for  seeking  a 
new  antivirus  vendor  was  to  reduce  the  cost 
per  machine.  Any  new  product,  however, 
would  have  required  a  complete  redesign 
of  how  the  current  infrastructure  col¬ 
lected  signatures  and  did  reporting,  mainly 
because  the  company  has  a  very  distributed 
environment— 100  locations  outside  of  cor¬ 
porate  headquarters. 

It  happened  to  come  up  in  conversation 
that  as  part  of  its  enterprise  licensing  agree¬ 
ment,  the  company  could  use  Forefront  for 
its  workstations,  with  no  additional  charge. 
Now,  Amos  uses  one  standardized  tool 
to  protect,  monitor  and  report  across  all 
systems.  “We  have  a  small  staff,  with  one 
person  wearing  multiple  hats,  so  the  more 
there  is  in  one  single  application  for  them 
to  become  familiar  with,  the  better  use  of 
that  resource,”  he  says.  Forefront  is  also 
integrated  with  Active  Directory,  which 
enables  easy  distribution  to  new  machines, 
he  says.  ■ 


Mary  Brandel  is  a  freelance  writer  based  out¬ 
side  of  Boston.  Send  feedback  to  Editor  Derek 
Slater  at  dslater@cxo.com. 


July/August  2009  www.csoonline.com  23 


'mm, 

*  ■  M  :mmml 

P§|  i  H 

"  ■•■■■■•■'.. ■■•;-'  '■■. 


feg  --■'0  /,  >  %- /*  Si ,  jjt \ 

'  *;  ;  •  ■  ^k'y;v  \vx,- ^ 


Hi! 


Ss#S 


isii® 


in 


lUSfililSil 


'x 


PM-vf^SP 


Iff  ;X*' 


X 


I 

1 


1  || 

■■■Mh 


't;v  ftg 


Him 


liisg 


■  ■..■■■:  ..  : 


SrlfMf 


slillif^^iiii . 

II 

'  '  ■■ . \.jBSTi  '\.  ,  : 


. 


ISixISSHi^llB 


x 


xS.?;wS 


:I'ffi 


mmsmm. 


. 


fsifiis«S8S 

*  1 , 


« 


IMP 
xH?  ..: 


#Ii^iSfl5iill^lif 


COVER  STORY  I  CSO  ROLE 


In  the  physical  and  digital  worlds  alike, 
security  is  ever  more  entrenched  in  protecting 
the  corporate  brand  By  Joan  Goodchild 


PIZZA  ISN’T  TYPICALLY  a  topic  of  con¬ 
versation  in  company  meetings  at  Caterpillar,  the 
world’s  largest  maker  of  construction  and  mining 
equipment,  diesel  and  natural  gas  engines  and 
industrial  gas  turbines.  But  an  incident  involving 
Domino’s  had  a  special  team  tasked  with  protecting 
Caterpillar’s  brand  integrity  taking  notes  and  buzz¬ 
ing  about  how  quickly  a  simple  video  can  suddenly 
drag  a  massive  corporate  name 
through  the  mud. 

This  spring,  a  prank  video 
involving  two  Domino’s  employ¬ 
ees  in  a  North  Carolina  store  was 
posted  to  YouTube  (see  photo  at 
right).  The  video,  which  showed 
the  employees  engaged  in  several 
unsanitary  food  preparation  acts, 
received  well  over  one  million  views  and  quickly 
left  the  company  scrambling  with  a  brand  impres¬ 
sion  nightmare. 

“Every  company  has  a  risk  to  its  brand,”  says 
Tim  Williams,  director  of  global  security  at  Cater¬ 
pillar.  “With  the  proliferation  of  social  interaction 
tools,  any  company’s  brand  could  be  put  under 
attack  for  a  multitude  of  reasons.  We  all  have  to  be 


very,  very  astute  about  watching  for  those  emerging 
risks  and  be  able  to  deal  with  them.” 

Brand  protection,  brand  integrity,  brand  repu¬ 
tation.  Whatever  you  call  it,  it  comes  down  to  the 
public  perception  of  your  company  and  the  prod¬ 
ucts  and  services  it  offers  or  manufactures.  Con¬ 
cerns  vary  widely  among  organizations.  While  a 
fast  food  chain  like  Domino’s  is  worried  about  how 
the  public  feels  about  their  sani¬ 
tation  and  food  quality,  manu¬ 
facturers  are  concerned  about 
supply  issues,  and  financial 
institutions  might  be  concerned 
that  their  name  will  be  used  in  an 
e-mail  scam  or  phishing  attack, 
for  instance. 

Organizations,  like  Caterpil¬ 
lar,  are  increasingly  seeking  ways  to  prevent  brand 
infection  and  calling  upon  security  and  risk  offi¬ 
cials  to  figure  out  what  needs  to  be  done  in  order 
to  prevent  a  negative  perception  about  a  brand. 
Williams  has  a  dedicated  committee  at  Caterpillar 
working  on  brand  issues.  The  aim  is  to  assess  risks 
of  all  kinds:  anything  from  potential  counterfeit 
parts  in  the  supply  chain  to  the  corporate  reputa- 


lllustration  by  Dan  Page 


July/August  2009  www.csoonline.com  25 


COVER  STORY  I  CSO  ROLE 


A  Few  of  Their 
Favorite  Things 

Shoes,  DVD  players,  purses  and  more-a 
list  from  2007  (the  most  recent  data) 
of  counterfeit  goods  seized  by  the  U.S. 
Department  of  Homeland  Security, 
broken  down  by  product  category 

Electronics  8% 

Apparel  Accessories  7% 

14% 

Watches  7% 

Pharmaceuticals  6% 

Computers  5% 

Media  4% 

Other  10% 

NOTE:  PERCENTAGES  HAVE  BEEN  ROUNDED 


tion  and  perception  that  is  conveyed  through  social  net¬ 
working  sites. 

“There  are  all  kinds  of  things  that  could  pop  up  at  any¬ 
time  that  would  have  a  serious  impact  on  the  brand,”  says 
Williams.  “And  it  can  move  at  light  speed  because  once  it’s 
out  there  it  is  going  to  be  going  over  the  wire.” 

Committees,  like  the  one  at  Caterpillar,  are  often  com¬ 
posed  of  representatives  from  an  organization’s  legal, 
marketing,  security  and  human  resource  departments, 
according  to  Michael  Rasmussen,  president  of  Corporate 
Integrity,  a  Wisconsin-based  consultancy  that  specializes 
in  governance,  risk  and  compliance.  Many  companies  are 
now  using  brand  integrity  issues  as  a  way  to  put  a  positive 
spin  on  a  company  image,  he  says.  More  than  25  percent  of 
the  Global  100  firms  include  elements  of  security  and  pri¬ 
vacy  in  their  corporate  social  responsibility  reports. 

“The  idea  is  that  part  of  being  a  good  corporate  citizen 
and  protecting  the  community  is  going  above  and  beyond 
and  protecting  information,”  says  Rasmussen. 

But  a  proactive  plan  and  committee  may  not  be  nearly 
enough,  according  to  Aon  Corporation,  a  provider  of  risk 
management  services.  In  a  recent  survey,  Aon  polled  orga¬ 


nizations  in  more  than  40  countries  and  across  31  industries 
to  find  out  their  views  of  emerging  and  escalating  business 
risks.  According  to  the  resulting  “2009  Global  Risk  Man¬ 
agement  Survey,”  damage  to  reputation  was  the  sixth  big¬ 
gest  concern  among  those  polled.  And  a  study  released 
this  year  by  the  Chief  Marketing  Officer  Council  reports 
that  organizations’  concern  over  brand  management  and 
brand  infection  is  growing  as  the  down  economy  fuels 
increasingly  global  and  organized  counterfeiting  opera¬ 
tions.  A  global  audit  of  306  marketers  found  that  marketers 
are  reporting  a  greater  number  of  incidents  or  fraud  online, 
with  29.5  percent  who  said  their  chief  vulnerability  is  in  the 
digital  world. 

Online  brand  attacks  can  include  cybersquatting— the 
practice  of  registering,  trafficking  in  or  using  a  domain 
name  with  bad  faith  intent  on  profiting  from  the  goodwill 
of  a  trademark  belonging  to  someone  else  (Read  a  report  on 
cybersquatting  growth  at  www.csoonline.com/article/485076). 
Those  who  took  part  in  the  CMO  study  said  brand  value, 
trust,  integrity  and  reputation  are  being  significantly 
eroded  and  damaged  as  a  result  of  grey-market  knock-offs, 
phishing  attacks,  cybersquatting,  e-mail  scams,  trade¬ 
mark  abuse,  copyright  and  patent  infringements  and  other 
malevolent  forms  of  brand  corruption. 

“Brand  attacks,  whether  through  online  scams, 
phishing  or  cybersquatting,  impact  brand  integrity  and 
reputation  immediately  because  the  malicious  activi¬ 
ties  are  customer-facing  and  affect  the  heart  of  what 
contributes  to  underlying  brand  value:  customer  percep¬ 
tion,”  says  Frederick  Felman,  chief  marketing  officer  of 
MarkMonitor. 

CISOs  are  often  involved  with  implementing  plans  for 
combating  phishing,  often  through  communication  cam¬ 
paigns,  says  Rasmussen.  And  intellectual  property  protec¬ 
tion  has  become  an  area  of  concern  for  CISOs  now,  too. 

“It’s  not  just  brand  protection  to  the  world,”  says  Ras¬ 
mussen,  “but  also  to  business  partners.” 

However,  as  with  many  security  expenditures,  Rasmus¬ 
sen  says  the  pitch  for  investment  in  IP  protection  is  often  a 
tough  sell.  Rasmussen  referenced  a  case  of  a  CISO  with  a 
well-known  semiconductor  maker  that  had  a  partnership 
with  a  large  mobile-phone  manufacturer.  While  the  com¬ 
pany  was  not  very  interested  in  the  CISO’s  desire  to  invest 
in  IP  protection  technology,  they  changed  their  mind  when 
he  said,  “What  about  [the  client’s]  IP  protection?”  This 
forced  the  company  to  think  about  the  implications  of  a 
data  breach  that  would  affect  a  client  relationship. 

“Once  he  rephrased  his  argument,  it  changed  their  per¬ 
ception,”  says  Rasmussen. 

But  the  digital  realm  is  only  one  area  where  attack  on 


Footwear 

40% 


“There  are  all  kinds  of  things  that  could  pop  up  at  any  time  that 
would  have  a  serious  impact  on  the  brand,” 

-TIM  WILLIAMS,  DIRECTOR  OF  GLOBAL  SECURITY,  CATERPILLAR 


26  www.csoonline.com  July/August  2009 


brands  can  take  place.  The  CMO  study  also  found  that  22.6 
percent  cited  offline  concerns,  such  as  supply  chain  issues, 
as  their  main  vulnerability.  The  Aon  survey  cited  distribu¬ 
tion  or  supply-chain  failure  as  the  eighth  largest  risk. 

“Counterfeiters  have  proven  themselves  quite  adept  at 
getting  counterfeit  products  introduced  into  the  legitimate 
supply  chain,”  according  to  Jack  Holleran,  an  Ernst  & 
Young  attorney  who  leads  EY’s  corporate  compliance  advi¬ 
sory  services  practice.  “There  was  time  when  counterfeit 
products  were  sold  on  street  corners  and  in  bus  stations 
and  back  alleys.  But  it  is  now  much  more  prevalent  to  find 
counterfeit  products  on  legitimate  retailers’  shelves.” 

Holleran,  who  at  one  point  worked  for  Phillip  Morris 
in  the  legal  department  and  formed  the  company’s  brand 
integrity  unit,  is  primarily  focused  now  on  assisting  chief 
compliance  officers  with  the  design  and  implementation  of 
compliance  programs.  But  brand  integrity  and  anticoun¬ 
terfeiting  are  now  part  of  compliance  as  well,  he  says. 

Whether  a  company  is  in  consumer  products,  technol¬ 
ogy  or  manufacturing,  they  face  the  risk  of  increased  scru¬ 
tiny  from  regulators  if  a  company  does  not  show  that  they 
are  taking  every  reasonable  step  to  protect  the  integrity  of 
their  supply  chain  and  ensure  no  fakes  are  inserted  into  the 
process.  Security  also  comes  into  the  process,  he  notes. 

“Counterfeiting  and  other  attacks  on  brands  are  illegal,” 
he  says.  “Part  of  a  company’s  strategy  needs  to  be  outreach 
and  engagement  with  law  enforcement.  While  security 
may  not  play  the  lead  role  in  terms  of  ascertaining  how  big 
a  problem  a  company  may  have,  they  often  play  a  critical 
role  in  outreach  to  law  enforcement.” 


Relationships  with  law  enforcement  are  critical  now 
for  companies  with  concerns  about  counterfeiting,  accord¬ 
ing  to  Alex  Burgos,  a  spokesperson  for  the  Global  Intel¬ 
lectual  Property  Center,  an  affiliate  of  the  U.S.  Chamber 
of  Commerce. 

“A  lot  of  counterfeits  come  in  from  other  countries,  such 
as  China.  So  many  companies  work  with  law  enforcement 
authorities  to  make  sure  they  are  aware  of  how  to  detect 
fake  products  and  to  keep  them  up  to  speed  on  new  chal¬ 
lenges  and  trends  they  are  seeing.”  (See  “Faked  in  China,” 
■www.csoonline.com/article/220737ioT  an  in-depth  look  at  dif¬ 
ficulties  dealing  with  that  country.) 

And  beyond  brand  integrity,  there  is  the  obvious 
financial  loss  of  counterfeiting,  too.  Counterfeiting  and 
piracy  costs  the  U.S.  economy  an  estimated  $250  billion  per 
year,  according  to  the  center,  which  issues  a  yearly  Intel¬ 
lectual  Property  Protection  and  Enforcement  Manual.  It  is 
essentially  a  legal  guide  for  companies  that  includes  best 
practices  in  place  at  some  organizations  when  it  comes  to 
brand  protection  and  anticounterfeiting  measures,  and 
includes  a  checklist  of  questions  a  company  can  use  to 
assess  their  risk  for  counterfeiting.  Just  about  any  major 
brand  name  is  at  risk,  the  manual  warns,  while  it  urges  all 
to  take  precautions. 

“Any  company  with  a  well-known,  valuable  brand 
should  assume  that  its  brand  is  already  being  counter¬ 
feited,”  it  states.  “For  companies  lucky  enough  not  to  be 
victims,  it  is  a  question  of  when,  not  if.”  ■ 


Reach  Senior  Editor  Joan  Goodchild  atjgoodchild@cxo.com. 


Photo  by  AP/Wide  World  Photos 


July/August  2009  www.csoonline.com 


27 


FRAUD 


Downsizing  and 
desperation  are  fueling 
a  rise  in  occupational 
fraud.  How  do  you  stop 
a  rogue  employee? 

By  Stacy  Collett 


Bernard  madoff,  allen 

Stanford  and  California  money 
manager  Danny  Pang  may  be  the 
latest  examples  of  outrageous 
fraud.  But  what  about  the  little  guys?  The 
administrator,  middle  manager  or  call- 
center  rep? 

It  doesn’t  take  a  high-profile,  multibil- 
lion-dollar  scandal  to  rock  an  enterprise. 
These  days,  when  employers  are  cutting 
salaries,  staff  and  bonuses— and  staff  is 
uncertain  about  the  next  round  of  layoffs— 
more  employees  are  committing  fraud, 
according  to  a  study  by  the  Association  of 


Certified  Fraud  Examiners.  More  than  half 
of  fraud  examiners  surveyed  said  that  the 
level  of  fraud  has  slightly  or  significantly 
increased  in  the  previous  12  months  com¬ 
pared  to  the  level  of  fraud  they  investigated 
or  observed  in  years  prior. 

U.S.  organizations  lost  7  percent  of  their 
annual  revenues  to  fraud  between  2006 
and  2008  for  an  estimated  total  cost  of  $994 
billion  in  losses,  according  to  the  ACFE. 
That’s  a  slight  uptick  from  the  5  percent 
loss  reported  for  the  two-year  period  end¬ 
ing  in  2006. 

What’s  more,  about  half  cited  increased 


financial  pressure  as  the  biggest  factor  con¬ 
tributing  to  the  increase  in  fraud,  compared 
to  increased  opportunity  (27  percent)  and 
increased  rationalization  (24  percent). 

Fraud  can  include  minor  things  like 
expensing  personal  items  or  major,  fraudu¬ 
lent  billing  schemes  carried  out  over  months 
or  years.  “They’re  using  the  corporate  credit 
cards  for  expenses  that  are  really  tying  back 
to  people  in  the  accounting  department  to 
fill  their  own  needs,”  says  Adam  Safir,  COO 
of  security  consulting  firm  Safir  Rosetti  in 
New  York.  “We’ve  had  clients  where  indi¬ 
viduals  have  racked  up  $500,000  worth 


Illustration  by  Emmanuel  Polanco 


July/August  2009  www.csoonline.com  29 


FRAUD 


of  transfer  payments  to  various  parties 
that  were  done  piecemeal  through  small 
[charges]”  over  several  months. 

Making  matters  worse,  layoffs  are  affect¬ 
ing  organizations’  internal  control  sys¬ 
tems,  according  to  the  ACFE  study.  Nearly 
60  percent  of  companies  say  they  had 
experienced  layoffs  during  the  past  year. 
Among  those  who  had  experienced  lay¬ 
offs,  more  than  a  third  said  their  com¬ 
pany  had  eliminated  some  controls  for 
preventing  fraud. 

“I  don’t  think  this  is  anything  new,  but 
with  the  economy  down  and  people  getting 
desperate,  this  is  a  methodology  that  they 
use  that  takes  advantage  of  a  typical  weak¬ 
ness,”  such  as  poor  oversight  or  holes  in 
security  procedures,  Safir  says. 

Fraud  examiners  expect  that  number 
to  rise  during  the  next  12  months,  espe¬ 
cially  embezzlement  cases  and  an  increase 
in  Ponzi  schemes  investigated  by  the  SEC, 
says  Bruce  Dorris,  ACFE  program  director. 


“The  credit  market  is  drying  up  and  there’s 
not  as  much  capital  to  raise  for  those  types 
of  frauds,  so  you’re  going  to  see  a  lot  more 
reporting”  as  investors  realize  they’ve 
been  defrauded. 

In  these  tough  economic  times,  CSOs 
need  to  harden  their  defenses  against  fraud. 
Here’s  how. 

FRAUD  FRENZY 

EMBEZZLEMENT  ACCOUNTS  FOR  70 
percent  of  fraud  cases.  “That’s  employee 
theft  across  the  board”  from  C-level  execs 
to  administrative  staff,  Dorris  explains. 
That’s  anything  from  fabricating  vendors 
to  charge  payments  to  corporate  credit  card 
misuse,  taking  petty  cash  “down  to  stealing 
pencils,  pens  and  notepaper.” 

Vendor  fraud  is  also  on  the  rise.  Examin¬ 
ers  are  detecting  fraud  schemes  in  contract 
and  procurement  areas,  where,  for  exam¬ 
ple,  a  vendor  suddenly  shows  a  marked 
increase  in  contracts  over  the  previous 
year— especially  low  dollar  amount,  no-bid 


contracts,  which  may  indicate  kickbacks 
to  employees. 

Data  fraud  cases  continue  to  concern 
employers,  but  now  many  employees 
who  fear  losing  their  jobs  are  using  stolen 
client  lists,  marketing  data  or  company 
secrets  to  leverage  new  jobs.  Some  59  per¬ 
cent  of  employees  who  leave  or  are  asked 
to  leave  a  company  are  stealing  company 
data,  according  to  a  report  by  the  Ponemon 
Institute,  and  two-thirds  of  them  admit  to 
using  their  former  company’s  confidential, 
sensitive  or  proprietary  information  for 
new  employment. 

But  even  without  economic  pressures 
and  downsizing,  data  theft  “certainly  is 
an  issue  that  has  existed  and  continues  to 
exist”  on  a  daily  basis,  says  Lisa  Sotto,  a 
partner  and  head  of  the  privacy  and  infor¬ 
mation  management  practice  at  Hunton 
&  Williams,  which  represents  companies 
who  have  suffered  a  security  breach,  often 
by  rogue  employees. 


Call  center  agents,  for  instance,  are 
highly  susceptible  to  breaches  because  they 
have  easy  access  to  customer  data,  and  call¬ 
ers  are  willing  to  give  up  sensitive  informa¬ 
tion,  such  as  credit  card  numbers,  Sotto 
says.  What’s  more,  healthcare  and  insur¬ 
ance  providers  often  use  Social  Security 
numbers  to  authenticate  a  patient’s  identity 
on  call  center  inquiries. 

FUNDAMENTALS  OF 
A  GOOD  ANTIFRAUD 
PROGRAM 

SOME  FRAUD  SCHEMES  have  taken  up 
to  two  years  to  detect.  Illegal  activity  can 
be  detected  faster  by  having  policies  and 
procedures  in  place  that  include  audits  and 
monitoring,  data  access  control,  physical 
security,  employee  education  and  discreet 
ways  to  report  fraud. 

IN  THE  ACCOUNTING  DEPARTMENT. 
Look  at  relationships  between  vendors  and 
employees,  such  as  familial  relationships 
between  vendors  and  purchasers  or  a  sud¬ 


den  increase  in  contract  awards  to  a  partic¬ 
ular  vendor,  which  may  lead  to  fraud,  and 
set  policies  regarding  those  relationships. 

A  fraud  monitoring  program  must 
include  spot  audits.  Accounts  should  be  rec¬ 
onciled  daily  with  no  variances,  Safir  says. 
That  way,  “you  know  immediately  that  you 
have  a  problem  that  requires  further  inves¬ 
tigation.  At  some  companies,  their  account¬ 
ing  department  becomes  too  complex  and 
they’ll  carry  over  imbalances”— a  very 
unsafe  practice,  he  adds. 

Also,  separate  duties  between  accounts 
payable  and  accounts  receivable.  “You 
could  train  a  nonaccountant  to  do  your  pay¬ 
ables.  That  person  would  not  be  reconcil¬ 
ing  your  pay  statements  like  an  accountant 
would,”  Safir  says. 

Surprise  audits  continue  to  prove  effec¬ 
tive  in  catching  fraud.  “If  they  know  that 
corporate  security  is  doing  audits  on  the 
first  Tuesday  of  the  month,  they  take  care 
of  everything  on  Monday.  But  if  they  don’t 
know  they’re  coming,  they’re  more  likely 
to  catch  a  fraud  in  place,”  Dorris  says.  Also, 
when  employees  know  that  a  surprise 
audit  looms,  “they’re  less  likely  to  [com¬ 
mit  fraud]  because  the  opportunity  has 
been  removed.” 

Simply  checking  financial  statements 
can  uncover  fraud.  “Why  is  there  a  tre¬ 
mendous  increase  this  month  in  accounts 
receivable?  Are  they  inflating  numbers  to 
make  the  bottom  line  look  better,  to  increase 
earnings  per  share?  Those  don’t  require 
a  tremendous  amount  of  resources— that 
gives  you  some  predication  to  look  and  see 
an  anomaly— and  investigate  it  a  bit  fur¬ 
ther,”  Dorris  says. 

AROUND  THE  OFFICE.  Physical  protec 
tions  in  the  building  and  its  perimeter  can 
also  curb  fraud.  Do  you  have  someone  at  the 
front  door?  Are  you  locking  cabinets  with 
sensitive  data  in  them?  Do  you  have  a  policy 
on  transporting  removable  media  like  lap¬ 
tops  and  BlackBerrys? 

Where  is  the  company  trashing  going? 
Sotto  recalls  one  multibillion- dollar,  fam¬ 
ily-owned  company  that  20  years  earlier 
donated  reams  of  used  paper  to  a  preschool 
for  a  recycling  drive.  Recently,  one  of  the 
preschool’s  parents  called  to  report  that  one 
of  her  son’s  preschool  art  projects  included 
names  and  social  security  numbers  on 
the  backside. 

Any  sensitive  documents  should  be 


When  employees  know  that  a  surprise 
audit  looms,  “they’re  less  likely  to 
'commit  fraud]  because  the  opportunity  has 
Deen  removed." 

-BRUCE  DORRIS,  ACFE  PROGRAM  DIRECTOR 


30  www.csoonline.com  July/August  2009 


shredded  or  designated  for  burning. 

Employees  should  have  access  to 
confidential  data  on  a  need-to-know 
basis.  Review  access  rights  weekly  or 
quarterly,  and  terminate  access  imme¬ 
diately  for  any  employee  leaving  the 
company.  Make  sure  everyone  has  the 
right  levels  of  access,  and  mask  some 
of  the  data  for  some  levels  of  access. 
Audit  log  software  can  also  document 
who  logged  into  what  documents  and 
systems,  when  and  whether  they  made 
changes  or  exported  files. 

IN  THE  CALL  CENTER.  Fraud  pre¬ 
vention  in  the  call  center  begins  with 
background  checks  for  all  employees 
before  hiring  them.  Once  they’re  on 
the  job,  monitor  their  computer  activity. 
“See  what  they’re  looking  at  and  why,” 
Sotto  says.  Deactivate  CD  drives  or  USB 
ports  so  information  can’t  be  copied. 
Adopt  a  paperless  work  environment 
so  information  can’t  be  written  down 
and  documents  can’t  be  removed.  Keep 
purses  and  backpacks  outside  of  the  call- 
center  room. 

AT  HOME.  Employees  who  work 
from  home  can  be  difficult  to  monitor. 
Sotto  suggests  occasional  surprise  vis¬ 
its  from  a  supervisor.  “Have  policies  in 
place  where  the  PC  is  in  a  segregated 
area  away  from  family,  use  strong 
encryption  and  password  protection” 
for  PC  access,  she  adds. 

HOTLINES.  Occupational  frauds  are 
much  more  likely  to  be  detected  by  an 
anonymous  tip  than  by  audits,  controls 
or  any  other  means,  according  to  the 
ACFE.  Hotlines  are  one  of  the  easiest 
ways  of  allowing  those  tips  to  come  in. 
Sarbanes-Oxley  requires  public  compa¬ 
nies  to  establish  whistle-blower  hotlines, 
and  many  private  companies  are  fol¬ 
lowing  suit.  Other  companies  have  set 
up  anonymous  e-mail  programs  “or 
a  locked  box  in  the  coffee  room  for  notes,” 
Dorris  says. 

EMPLOYEE  EDUCATION.  One  of  the 

easiest  and  most  inexpensive  ways  to 
reduce  fraud  is  through  employee  aware¬ 
ness  and  training  about  fraud  protection 
and  security. 

Employees  can  be  trained  on  how  to 
handle  sensitive  documents  left  near  print¬ 
ers,  for  instance.  “They  may  be  unknow¬ 
ingly  printing  important  information  that 


’V 

. 

f/A 


WARNING 
SIGNS  OF 

FRAUD 

Fraud  schemes  sometimes  take 
up  to  two  years  to  detect.  CSOs 
must  train  employees  to  recog¬ 
nize  the  warning  signs. 

Excessive  or  inappropriate 
contact  with  a  particular  vendor, 
or  a  familial  relationship  between 
an  employee  and  vendor,  can  lead 
to  fraud.  Sloppy  record-keeping  can 
also  mask  illicit  activity. 

An  employee  who  is  living  beyond 
his  or  her  means  or  is  known  to 
be  having  financial  difficulty  may 
become  desperate  enough  to  com¬ 
mit  fraud. 

“We’ve  seen  people  withdrawn 
or  becoming  very  hostile,”  who 

were  committing  fraud,  says  Adam 
Safir,  COO  of  Safir  Rosetti.  There 
are  also  cases  where  employees 
maintain  a  low  profile  and  “fly  under 
the  radar”  while  keeping  a  fraud 
scheme  going  for  months. 

“Keep  your  ear  to  the  ground,” 

Lisa  Sotto,  a  partner  at  Hunton  & 
Williams  adds.  Sometimes  rogue 
e  m  p  I  oyees  can't  keep  their 
mouth  shut,  she  says,  so  listen  to 
what  employees  are  chatting  about 
at  the  watercooler.  -S.C. 


can  be  used  in  a  fraud  or  theft  context  and 
leaving  it  near  the  printer,”  Safir  says.  “Most 
importantly,  let  employees  know  from  their 
first  day  of  employment  of  the  company’s 
rules  and  expectations  regarding  fraudu¬ 
lent  activity— not  after  fraud  surfaces.” 

CONNECTING  FRAUD  AND 
SECURITY  PROGRAMS 

ANTIFRAUD  POLICIES  AND  proce¬ 
dures  should  be  part  of  an  overall  secu¬ 


rity  program,  with  input  from  the 
general  counsel. 

“Some  CSOs  work  very  closely  with 
their  general  counsels,  and  some  who 
are  very  skilled  become  relied  upon  as 
the  ‘finders  of  fact’  for  these  very  sen¬ 
sitive  issues,”  Safir  says.  “A  good  CSO 
doing  the  job  proactively  and  doing  it 
well  ends  up  speaking  the  language  of 
and  servicing  the  general  counsel  whose 
basic  duty  it  is  to  ensure  on  behalf  of 
the  board  that  upper  management  isn’t 
doing  anything  [fraudulent].” 

In  rare  cases,  CSOs  can  find  them¬ 
selves  at  odds  with  executives  who 
might  be  engaging  in  rogue  behavior 
themselves,  over  certain  control  envi¬ 
ronments  or  his  or  her  responsibilities 
to  the  general  counsel  reporting  to  the 
board.  A  series  of  checks  and  balances 
can  clear  that  impasse. 

“You  have  a  board  of  directors,  an 
audit  committee  and  control  proce¬ 
dures  that  public  companies  need  to 
comply  with,  and  a  lot  of  private  com¬ 
panies  have  adopted  this  as  a  best  prac¬ 
tice,”  Safir  says. 

THE  TONE  AT  THE  TOP 

INTERNAL  CONTROLS  ARE  effec¬ 
tive  only  if  they  are  implemented  from 
the  top  down.  The  “tone  at  the  top”  dic¬ 
tates  the  effectiveness  of  any  fraud  con¬ 
trol  program,  Dorris  advises.  “If  those 
C-level  officers  demonstrate  integrity 
and  honesty  and  being  forthright  with 
employees,  directors,  investors,  custom¬ 
ers  and  purchasers,  those  companies 
become  more  successful  and  less  likely 
of  fraud  in  the  organization.” 

Sheilah  Etheridge,  owner  of  SME 
Management  in  Anchorage,  Ala.,  makes 
a  living  by  cleaning  up  “the  aftermath 
of  an  unqualified  accounting  person 
or  staff,”  and  she  has  seen  her  share  of 
occupational  fraud. 

“The  recession  will  not  cause  any¬ 
one  who  is  honest  to  become  dishonest,” 
Etheridge  says.  “But  it  may  be  a  handy 
excuse  for  those  that  have  thought  about  it 
before  to  act  on  it,  or  those  already  embez¬ 
zling  to  up  the  ante.”  ■ 


Stacy  Collett  is  a  freelance  writer  based  in  Chi¬ 
cago.  Send  feedback  to  Editor  Derek  Slater  at 
dslater@cxo.com. 


July/August  2009  www.csoonline.com  31 


[ undercover] 

By  Anonymous 


Five  Career  Lessons  from  the  Trenches 

Company  politics,  stonewalling,  layoffs— sometimes  it’s  part  and 
parcel  of  the  security  job.  Here  are  one  CISO’s  takeaways. 


Sitting  on  the  plane  coming  back 
home  to  the  U.S.  from  our  head 
office  in  Europe,  I  had  a  good 
deal  of  time  to  reflect  upon  my 
current  employment  situation 
and,  consequently,  what  will  most  likely 
be  my  sixth  employer  change  in  the  past 
to  years. 

As  tough  as  this  has  been,  there  is  a 
great  deal  that  I’ve  learned 
from  each  path  traveled. 

And  while  some  of  these 
paths  were  voluntarily 
taken,  the  majority  weren’t. 

Considering  the  average  stay 
at  a  company  in  our  field  is 
approximately  18  months, 
there  are  a  lot  of  us  that 
have  been  forced  in  another 
career  direction  within  the 
past  few  years.  If  I  had  a  dol¬ 
lar  for  every  time  a  recruiter 
or  human  resource  person 
asked  about  my  “sketchy” 
job  history,  I’d  be  a  very  rich 
man.  By  the  same  token,  I 
know  of  very  few  people 
who  have  been  fortunate 
enough  to  have  lasted  five  or  more  years  in 
a  strictly  information  security- related  func¬ 
tion  at  one  company.  There  are  many  times 
I’ve  thought  about  getting  out  of  security 
altogether,  but  opening  a  dollar  store  and 
raising  alpacas  seemed  like  more  trouble 
than  it’s  worth. 

Having  said  this,  each  career  change 
has  brought  about  a  unique  learning  oppor¬ 
tunity.  These  are  experiences  that  you  won’t 
find  in  any  book  nor  learn  at  any  business 
school.  Sometimes  the  “school  of  hard 
knocks”  can  be  the  best  teacher. 


Lesson  1:  Look  before  you  leap. 

The  grass  isn’t  always  greener  on  the  other 
side.  This  is  a  common  phrase  that  we  hear 
from  time  to  time  and  one  that  definitely 
had  more  than  a  ring  of  truth  to  it  in  the  late 
1990s.  I  had  left  the  relatively  safe  pastures 
of  Microsoft  to  pursue  an  opportunity  as 
CISO  at  a  startup  company  for  twice  the 
salary,  stock  options  and  other  associated 


dotcom  perks  of  the  era.  While  I  managed 
to  ask  all  the  typical  geek  questions  in 
interviews,  such  as  about  the  technology, 
personnel  and  relevant  strategies,  it  didn’t 
occur  to  me  at  the  time  to  ask  the  tougher 
questions  such  as  capital  run  and  burn 
rate,  attrition,  company  finances,  etc.  Had 
I  known  the  incredible  bum  rate  on  capital 
before  and  predicted  the  dry-up  in  venture 
capital  funds  that  year,  I  never  would  have 
left  Microsoft.  And,  as  I  found  out  much 
later  in  an  interview,  once  you  leave  Micro¬ 
soft  you  can  never  go  back.  Learn  to  ask  the 
hard  questions  and  know  what  you  don’t 


know.  Lesson:  Do  the  math.  Consult  a  men¬ 
tor,  financial  consultant  or  career  coach  if 
you  are  unsure  of  how  to  ask  about  a  com¬ 
pany’s  long-term  viability. 

Lesson  2:  You  are  not  always 
as  smart  as  you  think. 

Security  is  something  that  many  businesses 
don’t  realize  they  need  until  it’s  gone.  And 
when  your  e-commerce  plat¬ 
form  gets  hacked  and  placed 
in  the  media  spotlight,  you’ll 
often  realize  it  sooner  rather 
than  later.  When  you  view 
security  in  the  same  light  as 
having  a  fire  extinguisher 
on  hand,  you’re  begging  for 
trouble.  As  the  newly  minted 
manager  of  platform  security 
at  a  large  online  bookseller, 
Web  security  was  naturally 
an  integral  part  of  the  job. 
Finding  flaws  in  the  plat¬ 
form  and  online  systems  was 
incredibly  challenging  and 
rewarding,  and  probably  the 
most  fun  that  anyone  should 
be  allowed  to  have  while  still 
calling  what  they  do  work. 

What  was  not  as  fun  was  making  recom¬ 
mendations  that  would  not  be  acted  upon 
until  a  customer  (and  consequently  the 
media)  found  out  for  themselves,  like  how 
you  could  change  anyone  else’s  profile  or 
even  change  an  order  without  ever  logging 
into  the  system.  In  a  “shoot  the  messenger” 
approach,  nearly  everyone  was  “right- 
sized.”  Another  gentleman  and  I  survived 
the  purge  only  to  be  told  by  the  new  CTO 
that  we  would  no  longer  be  doing  security, 
but  networking  instead.  The  CTO’s  voice  is 
vividly  etched  into  my  memory:  “We  don’t 


32  www.csoonline.com  July/August  2009 


Photo  courtesy  Defenselmagery.mil 


need  that  much  security.  We’re  not  a  bank, 
we  just  sell  books.”  The  company  was 
subsequently  fined  by  the  Attorney  Gen¬ 
eral  and  forced  to  reinstate  a  security  pro¬ 
gram  that  was  even  more  comprehensive 
in  nature  than  before  the  incident.  I  won’t 
even  comment  on  the  massive  Klez  virus 
outbreak  they  suffered.  Lesson:  Security  is 
not  something  you  can  put  off,  sweep  under 
the  rug  or  buy  in  a  box.  Take  what  we  do 
very  seriously. 

Lesson  3:  You  are  just  as 
expendable  as  anyone  else. 

After  learning  from  lesson  one,  I  was 
appointed  CSO  of  a  moderately  sized 
startup  company.  I  was  the  first  (and  only) 
CSO  the  company  had  ever  had.  There  were 
press  releases  and  interviews  touting  my 
appointment,  and  the  company  and  I  man¬ 
aged  to  turn  what  we  were  doing  with  secu¬ 
rity  into  a  significant  competitive  advantage. 


you’ve  got  nothing  to  worry  about,  worry 
anyway.  Don’t  ever  fall  into  the  mind-set  of, 
“They  can’t  get  rid  of  us.  They  need  security.” 
Don’t  lose  hair  or  sleep  over  it,  but  be  proac¬ 
tive  instead  of  reactive. 

Lesson  4:  Smaller  fish  can 
sometimes  swallow  larger  fish. 

Working  for  a  biometric  authentication 
company  seemed  like  the  wave  of  the  future. 
This  was  post  9/11,  and  security  theater  was 
just  winding  the  comer.  This  just  had  to  be 
a  long-term  job.  I  was  wearing  many  differ¬ 
ent  hats  and  really  enjoying  my  work  there. 
The  company  was  a  public  company,  finan¬ 
cially  viable  and  a  leader  in  the  market.  But 
I  had  assumed  after  a  merger  with  another 
biometric  company  was  announced  that 
because  we  were  the  majority  and  the  larger 
partner,  we  would  be  holding  all  of  the  right 
cards.  Evidently  the  board  didn’t  think  of  it 
in  this  same  light.  Shortly  after  the  merger 


the  past  year  and  with  more  cuts  on  the  way. 
We’ve  gotten  very  lean,  very  quickly.  We’ve 
gone  from  burning  fat  to  burning  muscle. 
In  my  humble  opinion,  there  are  very  few 
ways  this  will  end.  1)  Merger  with  another 
institution,  or  2)  Breakup  and  sale  of  our 
institution.  While  we  position  ourselves  for 
option  one,  I’m  not  content  to  sit  back  and 
wait  for  the  political  winds  to  shift  a  given 
way.  Having  learned  and  applied  lessons 
one  through  four,  I’ve  come  to  the  conclu¬ 
sion  that  the  right  thing  to  do  at  this  point 
is  to  position  information  security  as  a  vital 
service,  and  not  merely  an  offshoot  or  task 
of  IT.  By  providing  core  services  for  security 
that  are  vital  to  the  operation  of  any  result¬ 
ing  merged  organization,  we  can  accommo¬ 
date  nearly  any  governance  framework  or 
management  structure.  And  if  we  do  per¬ 
form  services  better  than  anyone  else  at  a 
lower  operating  cost,  we’ll  be  successful. 

I’d  like  to  leave  you  with  some  additional 


If  I  had  a  dollar  for  every  time  a  recruiter  or  human  resources  person 
asked  about  my  “sketchy”  job  history,  I’d  be  a  very  rich  man. 
These  are  experiences  that  you  won’t  find  in  any  book  nor  learn  at 
any  business  school.  Sometimes  the  “school  of  hard  knocks”  can  be 
the  best  teacher. 


I  was  assured  by  the  founders  that  the  com¬ 
pany  was  not  looking  to  be  bought  or  oth¬ 
erwise  change  course  in  any  way.  There  is 
another  lesson  here:  Believe  none  of  what 
you  hear  and  half  of  what  you  see.  After 
about  a  year  on  the  job,  I  was  taken  aside 
into  a  conference  room  by  one  of  the  found¬ 
ers.  “Today  we  are  going  to  announce  that 
we  are  being  acquired,”  I  was  told.  “You 
don’t  need  to  worry  about  anything.  Noth¬ 
ing  will  change,  and  we  still  need  you  as 
CSO,”  he  said.  “Fine,”  I  thought  to  myself. 
“We’ll  just  switch  gears  from  operational 
to  integration  mode.  They’ll  need  due  dili¬ 
gence  and  documented  assurances  in  order 
to  complete  the  acquisition  and  leverage  a 
better  purchase  price.”  After  almost  a  year 
and  many  hours  working  to  integrate  our 
company  into  our  newfound  “parent”  I 
was  called  yet  again  into  a  conference  room. 
“There’s  no  easy  way  to  tell  you  this,  so  I’m 
just  going  to  come  right  out  and  say  it.  We’re 
letting  you  go.  We’ve  decided  we  don’t  need 
a  thought  leader  anymore.”  Lesson:  No 
matter  who  tells  you  or  how  loudly  they  say 


was  announced  I,  was  speaking  at  a  confer¬ 
ence  in  Florida.  I  spoke  with  our  CEO  and 
he  told  me,  “Just  between  you  and  me:  If  you 
have  another  job  lined  up,  take  it.  There  are 
going  to  be  some  major  changes  very  soon.” 
The  smaller  “partner”  of  this  merger  had 
a  large  presence  in  the  area  where  I  lived. 
And  since  the  new  president  and  CEO  of 
the  resulting  merged  company  was  from 
the  other  company,  I  was  out  of  luck.  Relo¬ 
cation  was  never  even  offered  as  an  option. 
Lesson:  Similar  to  lesson  three.  Politics  will 
often  override  sensibility  and  financial  fac¬ 
tors.  Always  consider  the  political  side  of 
things  when  evaluating  a  potentially  career¬ 
changing  event. 

Lesson  5:  Keep  bags  packed. 

My  current  employment  situation  is 
very  tricky.  While  I  enjoy  working  here 
immensely,  I  can  clearly  see  the  writing  on 
the  wall.  The  winds  are  changing.  We  are 
being  forced  by  the  E.U.  to  make  drastic 
changes,  and  much  of  this  has  been  well- 
publicized.  We’ve  eliminated  many  jobs  in 


job-seeker  advice.  To  the  recently  unem¬ 
ployed,  don’t  fret.  Things  will  turn  around; 
they  always  do.  The  job  market  really  does 
stink  at  the  moment,  but  there  are  things 
that  even  a  caveman  can  do  to  make  him¬ 
self  more  marketable.  Take  the  opportunity 
to  consult,  speak  at  industry  events  and 
write  about  your  experiences.  I  know  one 
recruiter  who  relies  mainly  on  the  “nomina¬ 
tion”  list  of  one  of  the  best  security  awards 
that  money  can  buy  where  you  pay  your 
$150  fee,  nominate  yourself  and  make  their 
list  of  “security  luminaries.”  One  final  piece 
of  advice:  Build  a  short  list  of  recruiters  and 
friends  in  the  industry  that  know  their  way 
around  the  block.  A  useless  recruiter  will 
hamper  your  search  more  than  help  it.  If 
they  can’t  articulate  exactly  what  qualities 
they  are  looking  for  in  a  candidate  or  can’t 
tell  you  exactly  what  the  role  entails,  you 
should  cut  your  losses  and  remove  them 
from  the  Rolodex.  Good  luck.  ■ 


The  author  is  currently  employed  as  the  security 
chief at  a  global financial  services  firm. 


July/August  2009  www.csoonline.com  33 


[  cso  view] 

By  Audry  Agle 


Seven  Practical  Ideas  for 
Security  Awareness 

Former  CISO  Audry  Agle  offers  steps  for  creating  the 
culture  necessary  to  protect  your  organization 


We’ve  all  heard  examples 
of  thieves  posing  as 
authorized  personnel 
gaining  entry  into  work 
areas  to  pilfer  informa¬ 
tion  or  equipment.  Often,  technical  con¬ 
trols  are  of  little  or  no  use  in  protecting  the 
organization  in  this  scenario  as  it  generally 
exploits  the  trusting  nature  of  those  who 
have  legitimate  access. 

It  is  widely  agreed  that  the  single  most 
effective  security  measure  is  staff  aware¬ 
ness.  So  how  does  leadership  create  and 
maintain  a  security-conscious  mind-set 
within  the  organization?  Constant  rein¬ 
forcement.  Remember,  the  average  person 
needs  to  hear  the  message  seven  times 
before  it  sinks  in.  So  here  are  seven  ideas  to 
help  you  get  the  message  integrated  into  the 
culture  of  your  company. 

l.  Appeal  to  personal  lives:  Get  peo¬ 
ple  interested  in  security  by  arming  them 
with  techniques  to  secure  their  personal 
information;  if  they  securely  tend  to  their 
own  business,  they’re  more  likely  to  tend 
to  their  employers.  Offer  “lunch- n-learn” 
sessions  where  staff  can  get  tips  for  what 
needs  to  be  shredded  or  locked-up  at  home, 
how  to  manage  personal  passwords,  secur¬ 
ing  home-based  wireless  networks,  etc. 
Your  employees  will  welcome  the  oppor¬ 
tunity  to  ask  questions  they  may  other¬ 
wise  be  embarrassed  to  ask,  and  you’ll  be 
showing  them  that  you  care  about  them  as 
individuals. 

2.  Make  the  message  visible:  Put 

posters  up  at  fax  machines,  shred  bins 
and  coffee  rooms.  Make  them  eye-catching 
but  simple;  something  anyone  walking  by 
can  read  and  interpret  without  breaking 
stride— they’re  more  likely  to  remember 
the  content.  Change  them  at  least  once  per 


month  so  there  is  always  something  new.  If 
you  don’t  have  a  graphic  artist  on  staff,  hire 
a  college  kid  to  do  the  artwork  or  use  one  of 
the  security  awareness  vendors  for  ready¬ 
made  ones. 

3.  Provide  treats:  You’d  be  surprised 
how  far  a  donut  goes  to  get  attention.  Have 
an  occasional  celebration  where  security 
thanks  the  staff  for  doing  their  part. 

4.  Use  their  desk:  If  you  have  a  clean- 


desk  policy,  perform  random  desk  checks 
after  hours.  Reward  those  who  have  no 
sensitive  material  out  by  leaving  a  small 
treat  like  a  piece  of  candy  or  pack  of  gum 
and  a  “thanks  for  doing  your  part”  note,  or 
enter  them  in  a  monthly  drawing  for  a  prize. 
For  those  who  aren’t  meeting  the  criteria, 
leave  a  gentle  reminder  with  specifics  about 
what  needs  to  be  corrected.  Repeat  offend¬ 
ers  should  be  discussed  with  management. 

5.  Bring  it  to  their  computer  screen: 
If  you  have  a  company  newsletter,  be  cer¬ 
tain  to  include  a  security  article  in  each  edi¬ 
tion  and  provide  information  on  the  latest 


incidents  that  have  occurred,  particularly 
in  your  industry.  Supplement  your  news¬ 
letter  with  a  monthly  e-mail  to  all  staff  with 
a  short  message  about  a  timely  and  relevant 
topic— PDA  safety,  emergency  prepared¬ 
ness  or  a  reminder  of  who  to  call  for  suspi¬ 
cious  incidents.  Provide  a  security  page  on 
your  employee  intranet  that  lists  the  secu¬ 
rity  policies,  important  contact  information, 
links,  etc. 

6.  Require  training:  Training  pro¬ 
grams  will  be  more  effective  if  you  include 
interactive  exercises,  contests,  games  or 
give-aways.  Try  to  keep  it  short,  and  test 
comprehension. 

7.  Walk  the  walk:  Perhaps  the  most 
impactful  technique  is  for  senior  leadership 
members  to  display  their  own  penchant  for 
security.  If  it  looks  to  be  important  at  the  top, 
you  can  bet  it’ll  be  important  at  the  bottom. 
Advertise  internally  when  someone  does 
something  that  thwarts  a  potential  attack 
or  comes  up  with  a  control  that  bolsters 
the  security  of  your  organization  in  a  cost- 
effective  manner.  Use  incident  exercises  at 
all  levels,  including  executive  leadership. 

Remember  that  your  employees  can 
make  or  break  your  security  program- 
keep  them  engaged  in  the  process  by  solic¬ 
iting  feedback  and  suggestions.  Provide 
a  phone  message  line  and  e-mail  box- 
anonymous  if  necessary.  Make  it  easy  to 
use,  nonthreatening  and  welcome  stupid 
questions. 

A  security- aware  culture  is  possible  in 
any  organization  as  long  as  it  is  the  stan¬ 
dard  by  which  everyone  operates,  and  con¬ 
cepts  are  consistently  reinforced.  ■ 


Audry  Agle,  CISSP,  CBCP,  MBA,  is  an  inde¬ 
pendent  risk  management  consultant  in 
San  Diego. 


34  www.csoonline.com  July/August  2009 


W>t» 


REGISTER  BY  AUGUST  31ST  AND  SAVE! 

Full  conference  and  one  night’s  accommodation  for  only  $695 
Register  now  at  www.digitialidworld.com  and  reference  priority  code  AD3 
(ISC)2  Credits:  Members  can  earn  up  to  24  CPE  credits  by  attending  this  event. 

produced  by 


BUSINESS  RISK  LEADERSHIP 


■Si|-w.A 


I- *;x  ; 


ME 


experts  like  Jeff  Jonas  and  Dr.  Larry  Ponemon 
set  the  stage  for  three  days  of  Summit  work¬ 
shop  sessions,  hands-on  labs  and  focused 
breakout  sessions  on  burning  technological  and 
business  issues.  You’ll  learn  what  has  worked 
well,  what  to  avoid  and  how  to  prioritize  your 
identity  management  projects  within  the  scope 
of  your  company’s  goals.  If  it’s  about  identity, 
you’ll  hear  about  it  at  Digital  ID  World. 


Digital  ID  World  is  the  premier  event  for  the 
identity  and  access  management  industry.  This 
is  the  one  place  where  you  will  find  focused 
content,  focused  solutions  and  focused  net¬ 
working  opportunities  to  support  your  I  DM 
initiatives.  You’ll  hear  from  industry  experts 
and  your  peers  on  the  latest  tools,  technolo¬ 
gies  and  tactics.  Top-notch  keynote  addresses 
from  leading  identity  management  and  privacy 


-■  .  V 

. .  PS?  '■ 

•  ',:v  .fk* 

'i  ■  'v 

.  ■'  ■  '• :  -  '.V'-. 

.  ■  ■  - 


DIGITALIDWORLD 

“Driving  Innovation  with  Identity ” 


September  14-16, 2009 
Rio  Hotel  and  Casino 
Las  Vegas,  Nevada 
www.digitalidworld.com 


Called  for  Travelling 


early  200  French  prison¬ 
ers  are  preparing  to 
take  to  their  bikes  in  the 
first-ever  penal  Tour  de 
France.  The  194  inmates, 
escorted  by  124  prison  guards  and  sports 
instructors,  will  set  off  from  Lille  and 
cycle  about  2,400  kilometers  (1,500 
miles),  ending  up  in  Paris.  They  will  have 
to  cycle  in  a  pack,  will  not  be  ranked  and, 
for  obvious  reasons,  breakaway  sprints 


will  not  be  allowed.  Prison  authori¬ 
ties  say  they  hope  the  race  will  help  the 
inmates  learn  values  such  as  team  work 
and  self  esteem.  The  prisoners,  all  serving 
jail  terms  of  between  five  and  10  years, 
will  make  stopovers  in  17  different  towns, 
each  of  which  has  a  jail. 

-BBC  News,  6/4/09 

IN  RELATED  NEWS,  the  U.S.  penal 
system  announced  the  formation 


of  an  NBA  expansion  franchise,  the 
Leavenworth  (Kansas)  Maximums. 
The  12-prisoner  traveling  roster  will 
be  accompanied  to  its  82  road  games 
(no  home  games  are  scheduled)  by 
a  156- member  guard  and  cheering 
squad,  unofficially  known  as  “the 
posse.”  The  Maximums  are  expected 
to  play  a  lot  of  zone  defense  and,  for 
obvious  reasons,  will  not  be  allowed 
to  fast  break. 


36  www.csoonline.com  July/August  2009 


Illustration  by  Steve  Traynor 


The  one  security  blanket  you  won’t 


ISACA6  Certifications 

ISACA  certifications  increase  your  value 
to  employers  and  clients. 


be  embarrassed  to  take  to  work. 


AWARDS 

2009 

WINNER 

Honored  in  the  U.S. 

CISA  wins  SC  Magazine's 
Best  Professional 
Certification 


CISM  named  finalist 
for  SC  Magazine's  Best 
Certification  Program 


Being  a  CISA®  CISM® and/or  CGEIT®: 

>  Counts  in  the  hiring  process. 

>  Enhances  your  credibility  and  recognition. 

>  Boosts  your  earning  potential. 


Secure  Your  Career:  Get  Certified. 

Visit  www.isaca.org/csomag. 


-USACA 

Serving  IT  Governance  Professionals 


iSpl 


CA  Security  Management  software  streamlines  your  IT  security  environment  so  your  business 
can  be  more  secure,  agile  and  compliant  without  upsizing  your  infrastructure.  All  with  faster 
time  to  value.  Greater  efficiency  starts  with  more  efficient  IT.  That's  the  power  of  lean 


Learn  more  at  ca.com/security/value 


SC  Magazine  Reader  Trust  Award  for 
Best  Identity  Management  Solution 

'  '  ■A"-' 

MZOO&.CA.’Ai!  fights,  reietved. 

-..r/v  ■'  A  A 

/A'..;  ; 


Software 


